Explore our journey to improved reliability with Teleport
VPNs have played a key role over the lifespan of our Lighthouse platform by ensuring that Probes and Hacker Alert Appliances (both hereafter referred to as appliances) were able to communicate securely.
While this has served us well, they do come with a set of that would need to be solved so that we could improve reliable access to probes deployed in customers networks.
The issues VPN solutions introduced into our application stack are as follows:
– regular updates in VPN configurations could cause conflicts in VPN connectivity which becomes an exponential problem when dealing with a vast number of customers probes and appliances
– network configurations are complex both on the appliance side and on our platform which makes it difficult to scale
– Security is harder to maintain between our platform and appliances in the field – for example restricting access to who gets control of the platform and appliances
– network connectivity is quite unreliable if customers have internet connection issues – VPNs take a long time to recover and adds extra latency on the network and appliance which makes it slower to run its tasks. This means scans take much longer to update and to run and are less reliable in providing results.
For these reasons we had to produce a better and less complicated solution that was reliable – consistent, available, easily manageable, simple.
The solution while simple, was complex to achieve and came after years of planning and experimentation to both try solutions and to understand the problem and challenges at hand from a technical point of view.
We thus decided on Teleport to replace our reliance on a VPN as it ticked all our boxes in solving the issues we had to address:
- Regular updates are not a problem because of the simplicity of the configuration and certificate management which will make any changes that occur much easier to handle at scale
- There is no need to setup complex network layers as this is simply abstracted away. This is a major benefit and problem we solved and the importance of this cannot be underestimated.
- Teleport is a zero-trust security solution which means you only give access to absolutely what and who is necessary. It does not require any open network ports on appliances and does not require bloated application layers.
- VPNs have a lot of overhead both in the network connectivity and resources of the system in use. Teleport is much lighter, so in essence it helped us solve the problem by removing it.
This will all translate to less downtime for customers, faster recovery rates and even tighter security that is easier to maintain.
You can read more about the technical aspects of Teleport online (https://goteleport.com), but this summarises the benefits we gleaned from it and illustrates what a game changer it is for our tech stack and that benefit will most definitely be translated to our partners and end users.
This is but one of the benefits of our platform migration and the reason we are excited about delivering this feature. This should also illustrate the challenges one faces when creating complex systems that work effectively.
How does this affect appliances in the field?
In the past few weeks, all appliances have been upgraded with Teleport capabilities to allow them to connect to our current platform deployment via VPN as well as to our new platform deployment via Teleport. The disk size, CPU and memory resource requirements for appliances remain the same, so we do not need more storage and bandwidth for this new connection solution. Updating and monitoring of appliances will still be covered by the Guardian360 Site Reliability Engineers, Apmon will still be available to our partners.