There are ways to use corporate VPNs in China to protect sensitive data and avoid China’s cybersecurity laws.
Many people outside China are asking whether the government is going to shut down corporate VPNs of international companies with facilities in China. How will the new Chinese cybersecurity law affect foreign IT companies in the country? Is it safe to transfer information to and from China?
To answer, let’s start with China’s Great Wall of Fire (GFC), which has a significant impact on what information is allowed to move inside and outside the country. The GFC is a combination of government policies and advanced telecommunications equipment developed by primary Internet service providers in China. It is intended to ensure national security and the interests of China.
Its essential function is that of a filter. Specifies which packages can cross and which are blocked. Anyone who visits China can see it in action, as sites like Google, Facebook and Twitter are not accessible via the Chinese Internet.
But the EAG is much more than that. In addition to filtering specific URLs, it can also block particular content or divert users to alternative sites. Also, it uses Deep Packet Inspection (DPI) technologies to analyse traffic circulating inside and outside China.
VPNs against China’s big firewall
However, the GFC cannot access encrypted content, such as within the IPSec tunnels. And here comes the VPN that is illegal under Chinese law: Many applications use encryption technologies to gain access to limited content in China.
VPNs conceal traffic flowing through the GFC, making it as though it were allowed to exchange information with destinations in other parts of the world that the GFC allows. Once tunnelling in these foreign locations, users can access any Internet content available on the Internet.
However, the GFC collects a lot of information, such as source and destination addresses, the amount of data flowing in each direction and, based on protocols and traffic patterns, conveys the nature of the information being transmitted, such as web content, video streaming etc.
So it’s only a matter of time until the illegal VPNs are detected, their URLs and IP address blocked and shut down completely. But then they appear new, more sophisticated and challenging to locate. And so a decade of cat and mouse chase continues.
Corporate VPN networks against China’s big firewall
The multinationals installed VPNs to link their Chinese locations to other global locations. They do not target if they are used to allow employees inside and outside China to communicate with each other and access SaaS corporate applications and applications for legitimate business purposes.
However, if these corporate VPNs run through the public Internet, they can be negatively affected by the GFC operation. GFC network controls in conjunction with the vast number of Internet users in China create a lot of congestion, which translates into downgraded connectivity.
Also, there is always the risk that corporate VPNs are mistakenly confused with illegal VPNs, indicating that they may be violating new cybersecurity regulations or are affected by the ICP registration requirements.
The Chinese cybersecurity law requires that all data produced in China be kept private – personal identity, bank accounts, etc. – or “significant” – related to national security, economic development or public interest – within the country.
Thus, a significant amount of asymmetric data leaving the country may cause concern. On the other hand, a large volume of skewed data entering the country may comply with the traffic patterns emitted by illegal VPNs and trigger their termination.
Creating web content or e-commerce functionality in China requires the ICP filling or ICP recorder processes, respectively. Thus, ports 80, 8080, 443 and 8443 are typically blocked and so are the VPNs they may use, such as SSL VPNs.
How to comply with China’s VPN regulations
What can the multi-national do to ensure the continued operation of corporate VPNs and their compliance with Chinese laws? Below some alternatives and suggestions. Companies will have to consider an exclusive Internet access service (DIA) as opposed to the xDSL / xPON / HFC internet service in China. This would reduce the impact on performance caused by congestion and processing delays occurring in the bottom layers of the CSE. When possible, it is always advisable to consider hosting a display of critical business applications, including those requiring a high level of performance for end-user experience, private data centres or the public cloud environment located in China. Multinational companies need to work directly with service providers Internet vendors and telecom carriers that are authorised to provide corporate VPN services. This provides a level of transparency so that the Chinese government knows the actual end-user of these services and the nature of the business. New technologies such as SD-WAN tunnels from licensed providers are subject to minimal performance impact from GFC controls and can allow access to multiple SaaS and cloud public services hosted outside China for internal use in businesses. High-quality private networks VPN solutions such as MPLS do not go through GFC filters but should only be used for domestic companies and adhere to Chinese cybersecurity regulations. Note: It is illegal to resell VPN services in China without government authorisation. Carriers often purchase MPLS from licensed providers and end them at a location outside of mainland China, usually in Hong Kong or Tokyo, where they integrate them with their networks. However, this network architecture is not optimal or entirely transparent to the government. It is therefore advisable to develop corporate VPNs, whether Internet-based or SD-WAN or MPLS from Chinese sites to headquarters, data centres and / cloud environments, using authorised providers to ensure compliance with regulatory requirements and the continuity of the business.