[dt_gap height=”30″ /]Upcoming Changes to VPN Infrastructure will Include Some Fundamental Upgrades to VPN Security.
After patching for Heartbleed bug CVE-2014-0160 our staff had a meeting about the true impact of Heartbleed on OpenVPN. We studied all of the top VPN services reactions and reviewed their planned upgrades to enhance their security. The consensus from the meeting was that our current network policies were as good or better than any of the VPN services reviewed but there was still room for improvement. Putting LiquidVPN on the bleeding edge of network security will cause some interruption to our users service and will result in a 50% increase to the cost of infrastructure. The interruption in service will mostly be to users that are not using Liquid Viscosity. The increased cost of infrastructure will be partially offset by an increase to subscription prices later this year. We do not know what the final price will be yet because it depends more on real world scalability and less on what sales reps and white papers are projecting. Some of the changes being implemented and a time-line are below. Some of our planned long term changes are estimates only and more detailed information will be released later.
Server Security & VPN Infrastructure Enhancements Coming Online in May and June
- A completely re-compiled Gentoo kernel and OpenVPN build is in alpha testing. Tweaks include changing how OpenVPN runs within Gentoo to further lock down the OpenVPN process and incorporating Open vSwitch into our stack.
- Revoking our current Certificate Authority that has been running on a virtual machine on a local secured server which stayed mostly offline and replacing it with a CA that has an air gap (non internet connected) and an Intermediate Certificate Authority to issue certificates.
- Standardize our OpenVPN configurations across all of our servers
- Increase the RSA server keys and Diffie Hellman from 2048 bit to 4096 bit
- Change the Perfect Forward Secrecy key re-negotiation time on our VPN clusters from 60 minutes to 30 minutes or less. To further minimize the impact of any Heartbleed like bugs.
- Add support for additional ciphers. AES-256-CBC will still be the default cipher on our servers but users will be allowed to choose from a few different ciphers. We are still testing different options.
- Upgrades to DNS will be made. No logging DNS servers will be selected based on server location.
- LiquidIPS will be rolled out to the rest of the network.
VPN Infrastructure and Service Enhancements Coming Online Later this Year
- Upgrade the last of our standalone servers (Germany, NL, UK and UK2) to 3 node high availability clusters like the ones used in our locations that support IP modulation. The standalone servers will still only provide shared IP addresses.
- Develop our own OpenVPN application in-house.
- Develop a configuration generator so that users can take VPN security into their own hands by building unique configurations and scripts for their device. Selecting their desired ciphers, ports and locations.
VPN Security and Infrastructure Enhancements that are being Evaluated
LiquidVPN is now at a cross roads. We can go 1 of 2 ways when it comes to infrastructure. We can continue to focus on adding new clusters in new locations or we can take VPN security and performance to the next level. Meaning we can setup 3 node clusters all over or we can expand to fewer areas and add multiple clusters in the best data-centers.
The first path will perform well until USA broadband speeds start to catch up to many EU countries broadband speeds. The 2nd option would (in theory) allow us to utilize a distributed file system like Ceph/GlusterFS and allow us to utilize drive encryption without hurting node performance. We have not tested the 2nd option yet but it is the next major project after the updates coming at the end of May or early June.
It is a very exciting time for LiquidVPN. Our wonderful users have really been spreading the word about our service in 2014. We will continue to push the envelope and blend enterprise technology within our service provider framework wherever it will provide an advantage.