How to use VPNs in China without breaking the law

There are ways to use corporate VPNs in China to protect sensitive data and not run afoul of China’s cybersecurity laws

A lot of people outside China ask whether the government there is going to shut down the corporate VPNs of international companies with facilities in China. How will the new Chinese cybersecurity law impact foreign IT operations in the country? Is it safe to transfer information into and out of China?

To answer, let’s start with the Great Firewall of China (GFC), which has a big impact on what information is allowed to move in and out of the country. The GFC is a combination of government policies and advanced telecom equipment deployed by the main Internet Service Providers in China. It is intended to safeguard the national security and the best interests of China.

Its basic function is that of a filter. It determines which packets can traverse it and which are blocked. Anybody visiting China can see it in action, as sites like Google, Facebook and Twitter are not accessible via the Chinese Internet.

But the GFC is much more than that. Besides filtering specific URLs, it can also block specific content or divert users to alternative sites. Moreover, it uses Deep Packet Inspection (DPI) technologies to analyze traffic flowing in and out of China.

VPNs vs The Great Firewall of China

However, the GFC cannot access encrypted content like that within IPSec tunnels. And that is where VPNs that are illegal under Chinese law come into play: There are many applications that leverage encryption technologies to gain access to content that is restricted in China. 

VPNs disguise the traffic flowing through the GFC, making it seem as if it is permitted information exchange with destinations in other parts of the world that the GFC allows. Once tunneled to those foreign locations, the users can access any web content available on the global internet.

Nonetheless, the GFC collects a lot of information, like source and destination addresses, quantity of data flowing in each direction and, based on protocols and/or traffic patterns, infers the nature of the information being transmitted, such as web content, voice communications, video streaming, etc.

Therefore, it is only a matter of time until illegal VPNs are pinpointed, their URLs and IP address are blocked, and they are shut down completely. But then new ones appear, more sophisticated and difficult to track down. And so a decades-old cat-and-mouse game continues.

Corporate VPNs vs The Great Firewall of China

Multinationals set up VPNS to connect their Chinese locations with other global locations. They are not targeted if they are used to enable employees inside and outside of China to communicate among themselves and to access corporate and SaaS applications for legitimate business purposes.

However, if these corporate VPNs run over the Public Internet they can be negatively impacted by the GFC’s workings. The network controls applied by the GFC combined with the sheer quantity of Internet users in China creates a lot of congestion, which translates into degraded connection performance.

Besides, there is always the risk of corporate VPNs being mistakenly confused with illegal VPNs, being flagged as potentially breaching the new cybersecurity regulations, or being affected by internet content provider (ICP) registration requirements. 

The Chinese cybersecurity law requires all data generated in China that is private – personal ID, bank accounts, etc. – or “important” – related to national security, economic development or public interest – to remain within the boundaries of the country. 

Thus, a high volume of asymmetric data leaving the country might raise concerns. On the other hand, a high volume of asymmetric data entering the country might conform to the traffic patterns exhibited by illegal VPNs and trigger their shutdown.

Making web content available or running e-commerce operations in China requires going through the processes of ICP filling or ICP registration, respectively. Thus ports 80, 8080, 443 and 8443 are normally blocked and so are VPNs that might use them, such as SSL VPNs.

How to comply with China’s VPN regulations

So what can multinational corporations with operations in China do to ensure the continued operations of their corporate VPNs and their compliance with Chinese regulations? Below a few alternatives and suggestions.

Companies should consider a dedicated internet access (DIA) service as opposed to standard xDSL/xPON/HFC internet service in China. This would reduce the impact on performance caused by congestion and processing delays that occur at the lowermost layers of the GFC.

When possible, it is always advisable to consider hosting an instance of business-critical applications, including those that require a high level of performance for end user experience, within private data centers or public cloud environments located inside China.

Multinational corporations should work directly with ISPs and telecom carriers that are authorized to provide corporate VPN services. This provides a level of transparency so the Chinese government knows the actual end user of those services and the nature of the business.

New technologies like SD-WAN-based tunnels from authorized providers are subject to minimum performance impact from GFC controls and can allow access to multiple SaaS and public cloud services hosted outside of China for internal business use.

High-end private network VPN solutions like MPLS do not go through the GFC filters but must only be used for internal business and adhere to Chinese cybersecurity regulations.  Note: It is illegal to resell VPN services in China without government authorization.

Global carriers often buy MPLS services from authorized providers and terminate them at some location outside mainland China, typically Hong Kong or Tokyo, where they integrate them with their own networks. However, this network architecture is not optimal nor fully transparent to the government.

Therefore, is advisable to deploy corporate VPNs, whether Internet-based, SD-WAN or MPLS from Chinese locations all the way to corporate headquarters, data centers and/or public cloud environments, using authorized providers to ensure regulatory compliance and business continuity.

Jacinto Cordero is a Regional Sales Manager for China Telecom Americas and before that worked as Solutions Sales Expert for Huawei Technologies.

Join the newsletter!

Or
Error: Please check your email address.

More about China TelecomDIADPIFacebookGoogleHuaweiTelecom AmericasTwitter

Show Comments
[]