Correcting Issues with Cloud Access Security Brokers/Cloud Firewalls (e.g. zScaler and NetSkope)
Author: Eric Vasbinder
Cloud-based content security solutions, such as NetSkope and zScaler can provide organizations with a robust way to limit the possibility of data exposure to third parties by blocking the sending of sensitive data to external sources. In addition, it allows corporate IT departments visibility into HTTPS encrypted communications to enforce corporate policies. These tools have become more commonly used as "zero trust" models for security implementations become more commonly used.
Unfortunately, the current technology of these cloud content security solutions (a.k.a. "cloud firewalls") can cause significant negative impacts when attempting to utilize Trimble Viewpoint's cloud solutions. As such, we highly recommend various mitigations to ensure our cloud solutions are not negatively impacted. Read on for more details.
Due to the way that these solutions operate, they take network traffic to and from the corporate network and routed through a sometimes circuitous path in the cloud firewall vendor's infrastructure. Remember, these tools route all HTTPS and HTTP traffic through the vendor's network in the cloud, decrypting your traffic to scan it for problematic data disclosures and embedded threats, then reencrypt the traffic for delivery to the final destination. , as well as modifies the origination IP addresses of various different parts of the network traffic, and in addition can change certain elements of the network packet envelopes within which this data resides.
As such, there are a number of negative results that can occur from the use of the solutions:
It significantly increases network latency to and from our cloud environments.
This is caused by the measurable increase in the number of network hops that traffic must take, as well as the processing time within the vendor's infrastructure.
They modify the origination IP address of various portions of network traffic.
They invalidate certain aspects of other security solutions such as digital certificate-based traffic signing.
As a result of the above disadvantages of these cloud content security solutions, the following negative impacts on our Trimble Viewpoint cloud solutions are seen:
Increased network latency results in measurable decreases in Vista VRL performance.
For example, for every 5 to 10 ms in increased latency, and additional 1-2 seconds in lag will be observed in going from line to line in a data entry grid form in Vista over VRLVRL is much slower
The TLS Database Endpoint (TLS VPN) Will Break
The changing of the origination IP address will break our ability to white list IP address traffic and thus prevent the TLS endpoint from working at all. You will only be able to use the IPSEC VPN option, which can be more difficult to set up and not as flexible.
Use of Our RDP Terminal Services Technology Becomes Impossible
Due to the way that these cloud content security solutions invalidate the digital signatures on network traffic, it prevents RDP terminal services from correctly authenticating users into our RDP terminal servers. Though this is less impactful for customers in our modern TC 1/VP1 (VRL-based) clouds, it can still impact those end-users who are using RDP in those clouds for performance reasons and it is a complete blocker of functionality for users in our legacy clouds that utilize RDP extensively, such as VEC RDP and VFC.
The only meaningful way to address these difficulties is to exempt all traffic that is intended to go to the Trimble Viewpoint cloud from being routed through these cloud content security/firewall solutions. As such, there are two elements that should be whitelisted to prevent traffic coming to and from our cloud from being scanned by these solutions:
Whitelist Traffic to/from NAT Gateway Static IP
Environments in our cloud can be configured to have a NAT gateway. This NAT gateway is designed to have a single, static, public IP address through which all traffic for that environment is intended to proceed.
Please reach out to your cloud support or transformation team at Trimble Viewpoint to find out which IP address has been assigned to your environment. Once you have identified it, please white listed within your content security solution.
If you are informed that you do not yet have a NAT gateway, please submit a cloud support or transformations case to have a NAT gateway put in place with a static, public IP address.
White List Traffic to/from Trimble Viewpoint Cloud Domains
Please work with your cloud content security/firewall vendor to white list traffic to and from the following wildcard domains:
*.viewpointforcloud.com
*.viewpoint.com
*.viewpointdata.cloud
Please NOTE: All traffic on all ports should be exempted from being scanned by these domains if it is intended to go to and from our cloud.
Once these steps have been followed, you should be able to proceed with effective utilization of our cloud technologies. In addition you should be able to see a small but measurable increase in performance due to the more direct routing of your traffic to our cloud.
changelog
Friday, 09 June 2023 at 09:40AM:
Initial posting.