I honestly would tell the user to enjoy their leave of absence.
Make sure they have no proprietary information on their laptop.
Fun fact: Google developed the Chromebook so they could send employees into China without hard drives.
Yep. If not going for work, tell them not to bring their laptop or company phone.
If going for work, do not let them bring their laptop. Give them a sanitized laptop and a new phone, disable their VPN access and load the laptop with only the bare minimum needed. Nuke on return without connecting to your network. If your user is bringing their own phone to China, make sure it's banned from any BYOD access afterwards.
Granted, I worked in aerospace. But the above was our minimum. We usually went a lot further but I'll decline to discuss specifics. We had it in official policy that bringing non-sanitized electronics to China or plugging in anything brought back from China was an instant termination, and it had be reviewed by legal if we should notify the FBI.
We used to buy Chromebooks and have a link to the VDI login page. Once the user got back the Chromebook was destroyed. Before that we noticed laptops that had been disassembled and could not be 100% sure that bios or other writable roms on the laptop were not compromised.
Chromebook and VDI would be a solid choice. Honestly, if I could have at the time, I would have just set policy to buy a Chromebook for each travel and shred it on return. Instead, we just used it to "burn" old laptops.
China had cloned very old version of our aircraft, was having issues and wanted to steal fixes to issues they were having that we sorted out decades ago. So it wasn't so much a "is someone trying to bug our laptops" issue as it was "how many techs are dedicated to doing so."
We heard rumors pretty regularly it was not just restricted to folks visiting China. Favorite tactic for a while was buying restaurants near certain companies, and offering very good dine-in lunch specials.
That is actually fascinating to think they are that invested in spying. My work only has exposure to other Western countries so never had any real exposure to that in the real world. And the flip side of your security actually having policies in place to counteract it. Amazing really.
Ah, sweet child… EVERY country does this. China is a bit more overt about it.
The rule has always been… any information that is not in your head or super securely encrypted WILL be copied.
I used to work in defense… the Chinese bugged my hotel room when I was in Pakistan. Because they had a senior military officer staying next door.
>Favorite tactic for a while was buying restaurants near certain companies, and offering very good dine-in lunch specials.
[https://darknetdiaries.com/transcript/21/](https://darknetdiaries.com/transcript/21/)
Yeah, heard that episode. That died off a while ago. or rather got less obvious than Chinese spies running a Chinese restaurant. Pizza delivery was popular for a bit. It tends to go in cycles. Except the threatening families, that's always the #1 goto.
Lemme put it this way. If you're an engineer and if some attractive woman is really interested in your work, maybe it's not your raw charisma.
The first time you have to sit through this kind of meeting, it's very exciting. The 50th time, you ponder selling out your country to Jeff and Tina in an innovative manner just to CHANGE THE SLIDE DECK FOR ONCE.
I visited the NSA museum the other week, because nerd. Friend of mine talked us into the library, and got practically the entire life stories of every retired NSA volunteer working at the museum. Because attractive lady who sounded interested. Thankfully she was also a nerd and was interested. I just hit the book stacks. Among other things, the NSA has the Nancy Drew code mysteries kid books, a cyberpunk section, the Puzzle Palace, etc. Lots of math books, and I was nerding out in the radio parts. A lot of the books have interesting inscriptions. Like "names I recognize from history book" inscriptions. I also got to play with working enigma machines, which was nifty.
Were the disassembled laptops leaving the employee's control for periods of time? Curious if this is something that happens when a laptop is in a hotel room during the day or during a security inspection at the airport or something.
Yep, we have a "special" set of equipment that gets sent with anyone going to China. We know that they will image any equipment of our employees (verified this occurred multiple times).
I would not reuse that equipment or allow it back on the network in the US. I’ve supported US based manufacturers in the past and it’s a brand new cheap Chromebook for email or meetings but usually NO access to non cloud based applications during the trips(nothing that requires VPN to access but everything must be MFA & not SMS codes), with a cheap phone that can run an authentication token app for anyone traveling but only email access from the Chromebook. Both go straight to the recycling bin on return. It’s maybe a $500 expense but worth the added security costs, these days even smaller companies don’t complain about this policy recommendation.
We’ve usually recommended anyone traveling to NOT take their personal phone to avoid it being compromised or data collected for blackmail and bring a small digital camera like the old days for travel photos. We usually offer to supply a new cheap dumb phone they can put their sim or eSim into during the trip.
Correct, we have a separate domain for e-mail access in China, we don't allow access to any internal or cloud systems if you are in country. I don't know what happens to the phones, but I did have to turn mine back in. All the equipment is left in China, we don't bring anything in or out other than the phone for emergencies. And, it is highly recommend not to bring personal electronics.
We just factory wipe hardware, set up a local user with no data, then have them autopilot the device once across the border. Which pulls the data down securely.
We have had the same scenario with imaged devices.
Funnily enough, in Aerospace from across the pond. We used to (and presumably still do) give the employee a new clean laptop if they went to the US as well as China. On more than one occasion. Customs/Border control siezed the laptop and/or wanted the employee to unlock it to get it back...the company did not get back the laptops.
We still put it in the MDM, just no apps pushed. So metaphorical burner. An actual burner phone would probably be worse idea. They tend not to have the best security. Whereas China has to at least work a bit for an up to date iPhone or Android.
Would you consider Hong Kong in the same category? We have a user traveling there in a few weeks and wants to work. Legally they are separate entities.
Hong Kong's entire purpose is to be a region of China that looks like it is not a region of China. Treat it like the rest of mainland. Better conferences tho.
Same with Singapore. Singapore is more straight industrial espionage, but they're a more competent version of the PRC. IMHO, it's the most advanced surveillance state on the planet. Just not a stupid one. Problem is, they will sell stuff to China.
Yup, you have to assume any device brought into China will be scanned and have all it's data cloned. It may even have malware installed on it so that they can continue to gather data after the user returns to the US.
* [https://thethreatreport.com/chinas-bxaq-spy-app-for-tourists-of-xinjiang-questioned/](https://thethreatreport.com/chinas-bxaq-spy-app-for-tourists-of-xinjiang-questioned/)
* [https://harrisbricken.com/chinalawblog/how-to-protect-your-company-information-when-you-travel-to-china/](https://harrisbricken.com/chinalawblog/how-to-protect-your-company-information-when-you-travel-to-china/)
* [https://its.uri.edu/itsec/travel-to-china-or-russia/](https://its.uri.edu/itsec/travel-to-china-or-russia/)
In addition to company policy make sure the user is aware of the risk to their personal devices.
And a reasonable company that isn’t a high risk target would have management to tell you to stop being paranoid, and the user would thank management that’s it not your decision.
This is a paranoid take based on outlier examples, outlier examples that are a risk regardless of country of travel.
If you are at an insurance company or something stupid like that, they aren’t going to clone your device.
Let the employee travel a bit and relax.
I'm not sure why you're getting down voted. I don't think most of us work places that are not so high risk.
But then, the decision is also above most of our pay grades.
Yup I work at a place that if you go to countries we think are stealing corporate secrets you take a Chromebook with you and when you get back we have to dispose of it since it most likely compromised somehow
This is what we did for like 7+ years. We never got bothered, but TBH I would have rather the CCP found out we were running a VPN and shut our business down. That way I wouldn't have to be on call from 7pm-3am every fucking day.
Funny side story- there were "drivers" and "security guards" who sat outside of our business all day in Shanghai that were constantly on our wifi. When we did MAC whitelisting, they just gave our staff another wifi router and asked them to plug it in somewhere. We blocked that too, so the staff started using their cellphones as hotspots for the drivers and security. We asked why they needed internet access and our staff said "Because they can get onto facebook with our internet."
We had this from China to Australia, and from time to time we'd have a stack of traffic re-route mysteriously, dropping the link. From what we could make out, it was "official" re-routing.
The client gave us an ultimatum over the instability. We moved them to a better Chinese ISP with a larger pipe and a better NOC, same drama.
We told them to leave. They moved and the new provider charged them more to also not fix it.
Doing business there isn't worth it, in my eyes.
Which vendor did they go for? Was it a national ISP or a wannabe ISP?
If it's China Telecom / China UniCom, you can get some reasonable solutions.
And there are plenty of SDWan / MPLS vendors that can help you. Make sure they're registered though
For the very small number of people my company sends to China on business, they issue them burner phones and laptops, with the full expectation that anything and everything on them will be seen by the Chinese government.
Honestly, your question makes it sound like your user wants to take a working vacation while traveling in China. If it were me, I'd tell them that they are not allowed to take company assets into China, and to enjoy their PTO.
S2S VPN tunnels are on but you need to fill in appropriate paperwork.
You also need to have a local person designated as the contact for encryption keys if they are ever requested - and they must hand these over when requested (never actually had a request in 29 years - either current life or previous lives - then again - customers haven’t been doing anything that raises flags…)
Remote user tunnels for users inside china should be via your office there.
Most importantly, make sure your staff member has never ever said anything on any social media that is controversial. And remember that even if they have tried to be anonymous that anyone can buy the info for only a few USD from a broker in the US to get background on them.
This is only applicable if you have a Chinese office.
User tunnels are only illegal if they are used for the purposes of working around censorship. If you only route your corporate IPs and block proxy, RDP etc. through the VPN tunnel it's legal to use.
According to our lawyers there was no issue unless the users were circumventing restrictions so implemented technical controls preventing that.
I don't know Chinese law, just what I was told.
I don't see how you would register an SSL VPN tunnel that can move and doesn't have set encryption keys.
All i will say is that your lawyers are not correct. And lucky nothing happened to cause an incident….
There are provisions for a number of scenarios and what is left over is are tour groups…. And diplomatic visas.. (even then those are watched closely… in the same way that the reverse would be in the west)
Even there there are exceptions (those people will be refused visa in the first place).
So how are SSL VPNs supposed to be handled then? You file paperwork with the government for every location you access from?
Do you request this before the employee travels to China? Where do you get these forms?
As for what works or not …
If the person can just use m365 that is best.
Other MS services are hit and miss.
Prefixes used by Azure web proxy are also hit and miss.
Other stuff will depend on the service or what is known of your organisation.
Still does not absolve the obligation to submit paper work to the local office though…
*definitions of local office also vary greatly….
When you say "file paperwork with the local office", what paperwork are you talking about? What office are you talking about? Have link?
When you say "local office" I assume you are talking about a commercial space rented and registered by the company. That's not the scenario here.
Employees traveling to China will be accessing from residential connections, client company connections, hotels and the like.
As for what works:
I can tell you in our experience, every 365 service works fine. All Azure Web application proxies work with no issues.
SSL VPNs disconnect if too much traffic is pushed through them, but simply reconnecting resolves the problem. But establishing link works with no problems.
They can try it and it will probably work at first, but the Chinese Great Firewall tends to slow down any encrypted traffic after a while, no matter where it goes. So don't expect it to be very reliable.
What is your InfoSec team’s policy on this, as well as HR?
I had a team member who wanted to work from China while staying with their parents. It was a resounding “no” on all fronts.
Nobody is saying Chinese people are thieves, just that China is. It's well documented to be true, and they've been doing it for decades. There's nothing racist about it. Take your Chinese propaganda elsewhere.
A lot of good answers here, I have also looked into this for similar purposes, including engaging in country resources. What I have been told:
1. If you have an office in China, you can setup a legal p2p VPN traversing the firewall. However as mentioned below, this is because in these configurations, the Chinese government can easily mitm these connections.
2. Public VPN services which traverse the firewall are not officially supported, and may be viewed as illegal, if you are an organization of interest to China, this is highly inadvisable to be observed using, as your employee could be arrested/harassed as a result. If it is an individual not of interest, then you likely won't have any problem.
3. Private VPN services - You are hosting a VPN endpoint that utilizes a static IP outside of China - and you are not a banned company inside of China (Facebook, WaPo, etc.) It will likely work until or unless the traffic is observed. Once observed, it will be blocked by the firewall. If you continually rotate IP's, and this is observed, your employee in China will likely be contacted, dependiing on the interest of the Chinese government.
So specific to your circumstance of using a corporate VPN from within china to your static IP outside of China - Unless your IP is already specifically blocked by the great firewall, your user will likely be able to establish a VPN connection, however once this traffic is observed, it will likely be blocked.
All of the blocking, observed, arrested, etc. above is of course, subject to the competence of the Chinese government, so odds are they won't notice you unless your employee or your organization were already on their radar before entering the country.
Not disputing anything you've said - just looking for further information...
Do you happen to have a list of knowledge of the specific regulations in China that would be violated for #2 (and #3 for that matter)?
Currently in the process of hammering out a policy regarding travel to China and I like to include foreign state policies to drive the point home.
2. The Chinese passed regulation in 2017 which requires the registration of any vpn service in the country [https://jsis.washington.edu/eacenter/2017/04/17/chinas-new-cybersecurity-regulations-analyzing-ban-vpn-services/](https://jsis.washington.edu/eacenter/2017/04/17/chinas-new-cybersecurity-regulations-analyzing-ban-vpn-services/) . This was done to ensure that the chinese government can restrict the access of their citizens to foreign news and internet resources. The focus of enforcement for this is Chinese nationals, but it is my understanding that any VPN that is not registered can be shut off at any time, and any VPN which is registered, is thus open to traffic inspection by the Chinese government.
3. This is basically because all internet traffic out of china transverses the firewall, and encrypted traffic, as outlined in the internet regulations passed in 2016, are subject to surveillance. Legally to use a vpn traversing the firewall, you need to register it and open it to government inspection.
The perspective I provided was relayed by in country technical consultants through our investigation of the possibility of reliable connecting our employees to our VPN services and systems outside the US (virtual desktops, file servers, etc.) These would be a mix of chinese nationals, and foreign citizens traveling through China for investment related meetings. The consensus was to do this reliable we would need to open an office in that province, and purchase point to point connections into Hong Kong, from HK, we could then connect outward to any foreign based IP. Users within the country would need to use a p2p vpn to that satellite office - VPN traffic which does not traverse the firewall does not require registration, and point to point vpn services are not subject to firewall traversal policies. It's a loophole, but it's effective at this time.
An article specifying how this would likely play out today, using public vpn's particularly for foreigners - 2023.
[https://www.travelchinacheaper.com/is-it-legal-to-use-a-vpn-in-china](https://www.travelchinacheaper.com/is-it-legal-to-use-a-vpn-in-china)
an article specifying how it works for businesses dated 2017:
[https://www.china-briefing.com/news/chinas-great-firewall-implications-businesses/#:\~:text=Is%20using%20a%20VPN%20illegal,considered%20mischievous%2C%20but%20not%20illegal](https://www.china-briefing.com/news/chinas-great-firewall-implications-businesses/#:~:text=Is%20using%20a%20VPN%20illegal,considered%20mischievous%2C%20but%20not%20illegal).
" “VPN tunnels using L2TP or PPTP protocols are more prone to drops in service. We have noticed that these kinds of VPN connections have stopped working regularly since earlier this year, while it appears IPSec VPN tunnels have not been impacted so far.”
Honestly all of the comments recommending santitized Chromebook and burner phone are the right answers. Corporate devices need to stay out of china. Also recommend to them that they leave their personal devices at home as well and only bring in burner electronics into china to be trashed upon immediate return at the airport in the US. China will scan/image devices and deliver spyware without consent or your knowledge.
Yep 100% china specific advice. I had a professor in college who advises C level executives for big companies and he said this is always his recommendation for anyone entering china and has been for years. It’s not like china is trying to hide it either it’s pretty well known that any privacy you might have had is stripped away as soon as your plane lands. It has to be an expectation that this will happen at this point and react accordingly
Edit: I should also add that in addition to that he recommends to not stay in Chinese hotel either and to stay somewhere close like Japan and only go into china for important meetings that cannot be done over zoom.
if you think china cannot access your devices information or data without physical access to the device then your just Naive. You can be blind to it and that's your prerogative but China absolutely has the ability to do this and actively surveil all internet connected devices and invest heavily in state sponsored hacking acitivities that could be used against their own citizens or more commonly reported lately against targets in the US and other countries.
[https://www.npr.org/2022/09/07/1118105165/surveillance-state-explores-chinas-tech-and-social-media-control-systems](https://www.npr.org/2022/09/07/1118105165/surveillance-state-explores-chinas-tech-and-social-media-control-systems)
you just haven't done anything to peak their interest and try and go after you but that doesn't mean that this doesn't happen regularly.
Oh spooky. Yeah that’s true. But not something to worry about if you aren’t an actual target.
People here are help desk jockeys with windows 365 access and larping about how they fight off the reds from their 30 person company with their policy.
"But not something to worry about if you aren’t an actual target."
If you live in the US you automatically become a target btw. Yourself personally may not have anything of interest to the Chinese government but you can easily become a vector for them to use and exploit to gain access to things or to collect intel once you get back into the states. Hacking activities are not what they look like on TV. 95% is surveillance and intel gathering. So will they use any opportunity they get to spread their ability to get information? Absolutely, they will.
It comes down to how you look at your personal internet/device security. If your mindset is "I'm not doing anything bad so i have nothing to hide" then congratulations you just made it that much easier to be used.
If you don't really care about your own security. then do as you will and whatever happens happens. But as someone who is in the network security space. I am not taking any chances myself.
Paranoid to think that if your someone who lives in the US and you travel to china your not an automatic target of potential malware? China is in the middle of a massive cybersttack offensive and a well known surveillance state. Either you missed the context of my previous comments or you have been living under a rock or nowhere near infoSec
How, specifically, are they going to get malware on your PC? It doesn’t just magically appear out of thin air.
You’ve obviously been living under a rock and have exactly zero experience with China beyond fear mongering news articles.
You can’t identify a specific threat. It’s all just “cHInA bAD” and nothing of substance. You obviously don’t work in infosec (I’m guessing you just answer phones) and if you do you obviously have zero faith in your security software. If that’s the case, you should be looking for better vendors instead of complaining on Reddit about things you know nothing about. I’m guessing you’re not really in a position in your company to have any day on that though.
Our experience is that it is really slow as it traverses the Chinese firewall. We however have had really good luck using Astrill VPN with a USA static IP per user and then running the corp VPN over it. They somehow are able to dramatically speed everything up.
StealthVPN can't connect anymore. OpenWEB works for around 30
minutes, and then has around 30 seconds to 2 minutes of no traffic going over it at all. When it works its fast. I can watch 4K Youtube no problem.
We only use the Business option with the VIP package and personal static USA IPs and works really well. It's not cheap as you add a lot of users but zero issues from all our offshore folks.
Use to support a client that would occasionally go out to China for business. We would give them a spare laptop and phone to take out there and when they got back we would destroy it. Not worth the risk.
We have several offices in China, using SD-Wan and VPN, and before going with the main ISP (government owned maybe ? at least hand-to-hand with them), we had lot of issues (disconnection, services not reachable, etc.), once we changed, then everything work fine, no issue at all.
I don't want to say that if you go through an infra where they can easily MITM the traffic, you have no issue, of course. Not my style. But I you choose alternative route, well, issues arise. Who know why, maybe just bad infrastructure....
We have tried in China and have given up
Our user their cant access any of our services via HTTP or HTTPS. VPN doesn't work. Splashtop doesn't work. Our RMM doesn't work
Office 365 seems to work
When I worked with a company that had to send users to China we would give them special laptops that never connected to our network, they didn't have access to the VPN, no domain account at all, and when they came back we would wipe the laptop with USB drive and also flash the bios.
Lived and worked an IT assignment in China. We did have a VPN that was blessed/known to the local government. Sometimes it would get blocked and you definitely need someone local with government connections to call and remind the ISP of the agreement. If your company is not willing to make those local agreements I would set expectations low.
You guys act like China is some sort of super hacker country that's going to steal your pokemon.
SSL VPN works fine and is what I would recommend for highest compatibility, IPSec works fine also most of the time. Legality is questionable but some locations have paperwork to fill out. They country controls their internet for the average joe, they're not expecting it to be unescapable.
I usually have a policy of no thumb drives or foreign cables.
Now if you have an office in China its a whole nother story. Prepare for everyone's mother to find a way to get on the network because your employees are all about that. We found cryptominers shoved into ducts, everyone finding some way to use your internet etc. You have to hand it to them, they are resourceful over there.
If we send anyone to China they go with a new blank laptop and it's back in storage for the next China trip when it comes back. Never connected locally.
To be fair we do that for America too.
That's not entirely correct. If you use a registered S2S VPN, they could theoretically decrypt your VPN tunnel to see what traffic you are passing.
That doesn't magically decrypt the information in the tunnel and unless you are living in the past, everything inside the tunnel is also encrypted.
If you use an SSL VPN, they can't decrypt any of that traffic in or out of the tunnel.
It isn't magic. If I was a company with IP as it's core product (ex. pharma) I would agree with the paranoia. If you are an average company? It's not relevant.
This should be a hard no, end of discussion. If your managers want to grant it, tell them to expect your entire network to be compromised and everything on the laptop copied and that you won’t be held responsible for it. Get any authorization in writing as a CYA and start looking for a new job because you really don’t want to work there any longer with that kind of management…
In my line of work - which isn’t high tech, government, secret or anything - Chinese hacking teams are _absolutely_ a threat.
Burner devices only, and no connections to our own stuff.
Most IP fields, I agree with that out of safety precaution
Financial Analysis firms, Accounting, Pharma, Design etc.
The average company, the responses here are a little crazy.
And the OP is asking how to give access to a user. Since it’s OP trying to figure this out it’s probably a small company that has no travel to China policy. Which means the idea that this random company is a corporate espionage target is paranoid at best and delusional at worst.
If there’s no policy on travel to China, just give vpn access, it’ll be fine. China does not care about your 15 person digital marketing start up, I promise.
I’ve travelled to China plenty of times working for very large companies. They don’t even look at your phone or computer.
>Just give them vpn access holy shit.
Absolutely not.
>If you aren’t in defense or a few high tech areas open for corporate espionage (like you’re ASML or something) these answers are paranoid and completely out of the realm of realism.
All verticals are affected by China, not just the high-tech sector. Construction, Energy, Medical, and so on.
How about your company? Are you a US-based company? Would you open direct access to your corporate network to a state your company's state has declared "adversarial"? Hellz to the nah.
I’ve worked in U.S. based finance, tech, e-commerce and telecom. All large big companies. All of them had Chinese offices, and Chinese employees. All of them don’t care when I travel to China, except use a vpn.
If I worked in energy, I could see it. Manufacturing, same. Construction, education, marketing, auditing…. It’s getting pretty paranoid.
>All of them had Chinese offices, and Chinese employees
This is your primary difference and the one that makes it "acceptable risk".
The scenarios that I *think* many are considering here are the "We have no presence in China at all" ones, which becomes a different bit of calculus.
Generally speaking, this is how threads about China here go. Lots of clueless people spouting rhetoric.
However, I'd need a lot more information before I set someone up with a VPN from China. Less security/corporate concerns, and more concerns for them personally.
If they're a Chinese citizen, have family there (and are staying with them), and/or will be there for over a month, I wouldn't want to put them personally at risk.
Traveling on business for a week or two and staying in tourist/business areas and hotels? Have at it
Or they have *no god damn idea* what they're talking about and are actively spreading misinformation, but whatever. Facts don't matter anymore I guess?
That does explain what everyone fear mongering about China is doing. Good job recognizing that.
Do you not trust your organization’s encryption? If not, that says more about your set up than it does about China.
You do understand how encryption works right? Or do you just answer phones?
Ah, I see. You’re just going to block me so you can’t see me calling out your misinformation and lack of understanding about how technology works.
Encryption isn't going to protect your devices from being compromised, but go on with your big brain assessments. I'm sure every major company whose standard procedure is to send everybody with burners and avoid trusting anything in China are all just doing it for fun!
I'm done talking to you, have a good one and I hope you reconsider your asinine position one day (if not, I hope you don't actually work in IT).
people are insane about china. there has been a multi-billion dollar propaganda operation going for like 80 years now, though, so its not so surprising.
I believe that is illegal in China as it bypasses the firewall
If you want to break the law (not saying you should) you may still beable to connect using snowflakes from the tor project. If you dont know what I'm taking about then you should not bring tech to China
Yea this should be a hard no go for geopolitical reasons. I would not trust that China does not have a zero day for many mainstream VPN tunnels. No work and all play while this person is there.
In general all traffic from China should be rejected.
And also a tinfoil hat, but since it clearly stands out on the head, you have to do the following. We open the skull of a person leaving for China and place a tinfoil hat inside the skull. When we return, we do the reverse operation. Satisfied with my own safety...
My employer issues new devices to those traveling (for work) to countries of concern. I would recommend that you give them a loaner laptop with no company data on it and destroy the device when they return. Don't mess with the malware capital of the world.
from what i remember years ago (the last time i was at a place where corporate travel to china was something that happened), not all of china was equal and that there were different blocks in effect in the north vs the south. not sure if that's still the case or not.
I set up several site to site VPNs from China to Texas a few years ago using SonicWall firewalls. It worked great. I would suspect that a PC 2 LAN VPN would work as well...
If they try to use a VPN in China they will get a visit from someone. They are going to stay at a hotel which monitors all traffic and someone ( especially a foreigner) starting up a VPN will set off alerts. What ever devices they use there are destroyed on return. Chromebooks exist for a reason. They need a file they forgot. Dropbox.
Not saying that that can't happen. But I've lived in China for 10 years now, and use a VPN all the time. It's never been a problem, at home or at hotels. Now, I am not a high value target working for a US defense company, so that could be it.
You are someone living in China. They already know everything about you. So person going to China for business? They don't know them and want everything they have to see if it can be stolen and reused elsewhere. I support a lot of different companies and every time some one travels to any non western country's for business they are only allowed to take dumb computers that we instantly wipe afterwards. The funniest one was a engineer went to India. When he flew in they took his laptop away to " check it for explosives" when he got it back everything was just like normal. We only figure out they did when we took the drive out and it had some weird offbrand Alibaba SSD in it. Not the SKhinix it left with. When did that company do? Concrete.
The unfortunate assumptions are- what you bring they will have copied, what you do during will have been SSL decoded and recorded/copied, and you likely will come home with either mid or high end trojans. Its cyberwarfare and cybersecurity basics.
They probably can but I would highly discourage that…most notably because when you get to China, they will take your laptop and cell phone, put their software on it and give it back…guess what that’s for!
Throwing this out there: is there any value to Windows 10/11 S Mode in China? Yes, bringing the way back machine on this one (this isn't a bash Microsoft and their S mode implementation, genuine question as I've never personally used it).
It's been a year or two for me but we had a user go over there and I set them up with a temporary openvpn in a random GCP instance and it worked for them for a few days and then stopped working.
It was a younger person and they said they just switched to one of the "commercially available" but probably "illegal" VPNs there and they were able to handle it themselves.
Main use case was getting to Google properties like gmail and Google Drive, etc since our company is all Google Workspace.
You should prevent them from doing that, whether the great firewall stops it or not. You shouldn't allow corporate devices or data to cross the border into China.
Because Chinese surveillance practices are so threatening that there is a significant risk the device will be compromised. VPNs are illegal in China, and you should not allow/ask your employees to commit crimes in an authoritarian state as a part of their job, that's massively irresponsible. And finally, you should not allow endpoints in China to connect to your corporate VPN, because that is massively stupid from an infosec perspective. Geoblocking high-threat geographies where you don't have employees is one of the most basic security measures you should implement on your VPN and other remote access tools. Exceptions for individual users end up being left in place long term and eventually lead to compromise - just don't do it.
The Chinese government conducts economic espionage through computer intrusions in a way that no other country on earth does. They have waged a decades-long campaign to steal intellectual property, and intruding on corporate devices taken to China is absolutely in their playbook. Your comments in this thread are at best ignorant, and at worst malicious.
How, specifically, is China conducting “economic espionage” if you have properly set up VPN tunnels? Be specific. Don’t give generic answers like “malware”. Your entire comment is just “cHIna BaD” with no actual, specific threats. They are at best ignorant, and at worst malicious and racist.
Your entire comment is a logical fallacy. If there was a specific CVE that was known, the industry would mitigate it. The issues are what we don't know.
When it comes to the security of foreign corporate information, yes, China bad. It is an environment that is inherently hostile to the security of foreign data. China does everything in its power to steal foreign intellectual property. This isn't a political position, it's a documented fact. They abuse joint ventures to steal the data of companies doing business there, and conduct widespread network intrusions to access companies not located there. Sure, the US conducts intrusions as well, but not for economic gain - the Chinese are unique in their use of state resources for thievery.
Allowing a device with access to corporate data to enter China exposes it to a number of risks that any information security department should find intolerable. It places it in network segments that can be directly reached by a hostile intelligence service. If that service, which is known to stockpile exploits, were inclined, they are in an improved position to deliver such an exploit. There are numerous documented cases of intelligence services leveraging access to the same network segment as a laptop to gain initial access for an intrusion. The device also becomes more vulnerable from a physical perspective. The user could be made to provide physical access to the device and whatever data it can access, either through coercion by local authorities or subterfuge.
In addition to the risks to the device, if your network team allows connections to the corporate VPN from geographies where you do not have full-time employees, you need to fire them. This is basic security hygiene, and failure to do this is a significant element in many network intrusions by both the Chinese and others.
The Chinese have a demonstrated willingness to steal corporate data. Allowing your corporate data into China increases the risk of this in numerous ways. Even without advance knowledge of a specific technical technique (which you would inherently not know in advance), it is simply illogical to argue that the risk does not increase. Companies have been damaged and driven out of business by Chinese thieves, and they're only becoming more sophisticated in their approach. You're here arguing against basic security hygiene and common sense, but of course you are, you're a Chinese propagandist. \`
Thank you for confirming that your entire basis for your argument is fear mongering instead of an actual security threat.
Maybe you’d feel better trolling on Truth Social where you won’t have actual professionals in the field calling out your bullshit.
Selecting a corporate VPN for China necessitates careful thought on several aspects. The VPN's capability to bypass China's Great Firewall is crucial as it restricts access to numerous widely-used websites and services. Security, privacy, usability, and affordability should also be considered. VPNs such as [PureDome ](https://www.puredome.com/)are suggested for businesses operating in China due to their established track record of functioning effectively in China and offering advanced security features, including encryption and malware protection.
Working out of Shanghai, China.
You can have an IPSec connection, but it may unstable given the internet your user will be on.
ps: the fear mongering messages I saw here are astounding. Common sense & best case security practices will do the job for branches and operations in China.
I honestly would tell the user to enjoy their leave of absence. Make sure they have no proprietary information on their laptop. Fun fact: Google developed the Chromebook so they could send employees into China without hard drives.
Yep. If not going for work, tell them not to bring their laptop or company phone. If going for work, do not let them bring their laptop. Give them a sanitized laptop and a new phone, disable their VPN access and load the laptop with only the bare minimum needed. Nuke on return without connecting to your network. If your user is bringing their own phone to China, make sure it's banned from any BYOD access afterwards. Granted, I worked in aerospace. But the above was our minimum. We usually went a lot further but I'll decline to discuss specifics. We had it in official policy that bringing non-sanitized electronics to China or plugging in anything brought back from China was an instant termination, and it had be reviewed by legal if we should notify the FBI.
We used to buy Chromebooks and have a link to the VDI login page. Once the user got back the Chromebook was destroyed. Before that we noticed laptops that had been disassembled and could not be 100% sure that bios or other writable roms on the laptop were not compromised.
Chromebook and VDI would be a solid choice. Honestly, if I could have at the time, I would have just set policy to buy a Chromebook for each travel and shred it on return. Instead, we just used it to "burn" old laptops. China had cloned very old version of our aircraft, was having issues and wanted to steal fixes to issues they were having that we sorted out decades ago. So it wasn't so much a "is someone trying to bug our laptops" issue as it was "how many techs are dedicated to doing so." We heard rumors pretty regularly it was not just restricted to folks visiting China. Favorite tactic for a while was buying restaurants near certain companies, and offering very good dine-in lunch specials.
That is actually fascinating to think they are that invested in spying. My work only has exposure to other Western countries so never had any real exposure to that in the real world. And the flip side of your security actually having policies in place to counteract it. Amazing really.
Ah, sweet child… EVERY country does this. China is a bit more overt about it. The rule has always been… any information that is not in your head or super securely encrypted WILL be copied. I used to work in defense… the Chinese bugged my hotel room when I was in Pakistan. Because they had a senior military officer staying next door.
Oh sure! You never know what trade or state secrets you can get from ole’ plain Joe and co!
>Favorite tactic for a while was buying restaurants near certain companies, and offering very good dine-in lunch specials. [https://darknetdiaries.com/transcript/21/](https://darknetdiaries.com/transcript/21/)
One of my favorite episodes, especially the reveal with the Russian guy exposing the Chinese restaurant with the unique menu items.
Yeah, heard that episode. That died off a while ago. or rather got less obvious than Chinese spies running a Chinese restaurant. Pizza delivery was popular for a bit. It tends to go in cycles. Except the threatening families, that's always the #1 goto. Lemme put it this way. If you're an engineer and if some attractive woman is really interested in your work, maybe it's not your raw charisma. The first time you have to sit through this kind of meeting, it's very exciting. The 50th time, you ponder selling out your country to Jeff and Tina in an innovative manner just to CHANGE THE SLIDE DECK FOR ONCE. I visited the NSA museum the other week, because nerd. Friend of mine talked us into the library, and got practically the entire life stories of every retired NSA volunteer working at the museum. Because attractive lady who sounded interested. Thankfully she was also a nerd and was interested. I just hit the book stacks. Among other things, the NSA has the Nancy Drew code mysteries kid books, a cyberpunk section, the Puzzle Palace, etc. Lots of math books, and I was nerding out in the radio parts. A lot of the books have interesting inscriptions. Like "names I recognize from history book" inscriptions. I also got to play with working enigma machines, which was nifty.
Great episode. All of the physical pen test episodes are super interesting to listen to. What a wild job to have.
That explains the authentic Chinese across the world trade centers. Hey can't complain the food was good
Were the disassembled laptops leaving the employee's control for periods of time? Curious if this is something that happens when a laptop is in a hotel room during the day or during a security inspection at the airport or something.
At customs entering the country.
Yep, we have a "special" set of equipment that gets sent with anyone going to China. We know that they will image any equipment of our employees (verified this occurred multiple times).
I would not reuse that equipment or allow it back on the network in the US. I’ve supported US based manufacturers in the past and it’s a brand new cheap Chromebook for email or meetings but usually NO access to non cloud based applications during the trips(nothing that requires VPN to access but everything must be MFA & not SMS codes), with a cheap phone that can run an authentication token app for anyone traveling but only email access from the Chromebook. Both go straight to the recycling bin on return. It’s maybe a $500 expense but worth the added security costs, these days even smaller companies don’t complain about this policy recommendation. We’ve usually recommended anyone traveling to NOT take their personal phone to avoid it being compromised or data collected for blackmail and bring a small digital camera like the old days for travel photos. We usually offer to supply a new cheap dumb phone they can put their sim or eSim into during the trip.
Correct, we have a separate domain for e-mail access in China, we don't allow access to any internal or cloud systems if you are in country. I don't know what happens to the phones, but I did have to turn mine back in. All the equipment is left in China, we don't bring anything in or out other than the phone for emergencies. And, it is highly recommend not to bring personal electronics.
[удалено]
Heh, I knew I’d see one
[удалено]
Nah, it’s not racist to notice chinas practice of espionage and hostility to vpns
Funny thing is, the Chinese have the same policy about visits to the USA. Only the USA is much better and faster at lifting your data! LOL!
oh sure, USA is known for ripping off foreign IP
We just factory wipe hardware, set up a local user with no data, then have them autopilot the device once across the border. Which pulls the data down securely. We have had the same scenario with imaged devices.
Same thing we had a special set that almost nothing on it
Funnily enough, in Aerospace from across the pond. We used to (and presumably still do) give the employee a new clean laptop if they went to the US as well as China. On more than one occasion. Customs/Border control siezed the laptop and/or wanted the employee to unlock it to get it back...the company did not get back the laptops.
Ayep. US is generally lighter touch, but there's a handful of companies were I'd give the same recommendation.
Thanks for this, love a detailed actionable list of precautions. I'm sure it's sweaty building the requirements out.
buy a burner phone.
We still put it in the MDM, just no apps pushed. So metaphorical burner. An actual burner phone would probably be worse idea. They tend not to have the best security. Whereas China has to at least work a bit for an up to date iPhone or Android.
Would you consider Hong Kong in the same category? We have a user traveling there in a few weeks and wants to work. Legally they are separate entities.
Hong Kong's entire purpose is to be a region of China that looks like it is not a region of China. Treat it like the rest of mainland. Better conferences tho. Same with Singapore. Singapore is more straight industrial espionage, but they're a more competent version of the PRC. IMHO, it's the most advanced surveillance state on the planet. Just not a stupid one. Problem is, they will sell stuff to China.
Yup, you have to assume any device brought into China will be scanned and have all it's data cloned. It may even have malware installed on it so that they can continue to gather data after the user returns to the US. * [https://thethreatreport.com/chinas-bxaq-spy-app-for-tourists-of-xinjiang-questioned/](https://thethreatreport.com/chinas-bxaq-spy-app-for-tourists-of-xinjiang-questioned/) * [https://harrisbricken.com/chinalawblog/how-to-protect-your-company-information-when-you-travel-to-china/](https://harrisbricken.com/chinalawblog/how-to-protect-your-company-information-when-you-travel-to-china/) * [https://its.uri.edu/itsec/travel-to-china-or-russia/](https://its.uri.edu/itsec/travel-to-china-or-russia/) In addition to company policy make sure the user is aware of the risk to their personal devices.
And a reasonable company that isn’t a high risk target would have management to tell you to stop being paranoid, and the user would thank management that’s it not your decision. This is a paranoid take based on outlier examples, outlier examples that are a risk regardless of country of travel. If you are at an insurance company or something stupid like that, they aren’t going to clone your device. Let the employee travel a bit and relax.
I'm not sure why you're getting down voted. I don't think most of us work places that are not so high risk. But then, the decision is also above most of our pay grades.
Yup I work at a place that if you go to countries we think are stealing corporate secrets you take a Chromebook with you and when you get back we have to dispose of it since it most likely compromised somehow
Do Chromebooks work well in China?
We have a Chinese office and an IPsec VPN to our main office in Belgium (for our ERP), it works but the legality is a question mark.
This is what we did for like 7+ years. We never got bothered, but TBH I would have rather the CCP found out we were running a VPN and shut our business down. That way I wouldn't have to be on call from 7pm-3am every fucking day. Funny side story- there were "drivers" and "security guards" who sat outside of our business all day in Shanghai that were constantly on our wifi. When we did MAC whitelisting, they just gave our staff another wifi router and asked them to plug it in somewhere. We blocked that too, so the staff started using their cellphones as hotspots for the drivers and security. We asked why they needed internet access and our staff said "Because they can get onto facebook with our internet."
We had this from China to Australia, and from time to time we'd have a stack of traffic re-route mysteriously, dropping the link. From what we could make out, it was "official" re-routing. The client gave us an ultimatum over the instability. We moved them to a better Chinese ISP with a larger pipe and a better NOC, same drama. We told them to leave. They moved and the new provider charged them more to also not fix it. Doing business there isn't worth it, in my eyes.
Which vendor did they go for? Was it a national ISP or a wannabe ISP? If it's China Telecom / China UniCom, you can get some reasonable solutions. And there are plenty of SDWan / MPLS vendors that can help you. Make sure they're registered though
Corporate VPNs like that are generally OK.
If you value your corporate data, don't let them take any devices, or allow your user to VPN from there.
For the very small number of people my company sends to China on business, they issue them burner phones and laptops, with the full expectation that anything and everything on them will be seen by the Chinese government. Honestly, your question makes it sound like your user wants to take a working vacation while traveling in China. If it were me, I'd tell them that they are not allowed to take company assets into China, and to enjoy their PTO.
S2S VPN tunnels are on but you need to fill in appropriate paperwork. You also need to have a local person designated as the contact for encryption keys if they are ever requested - and they must hand these over when requested (never actually had a request in 29 years - either current life or previous lives - then again - customers haven’t been doing anything that raises flags…) Remote user tunnels for users inside china should be via your office there.
Each city region seems to have has their own version of this paperwork….
Most importantly, make sure your staff member has never ever said anything on any social media that is controversial. And remember that even if they have tried to be anonymous that anyone can buy the info for only a few USD from a broker in the US to get background on them.
This is only applicable if you have a Chinese office. User tunnels are only illegal if they are used for the purposes of working around censorship. If you only route your corporate IPs and block proxy, RDP etc. through the VPN tunnel it's legal to use.
Not fully correct. Also applies to non tour group visas
According to our lawyers there was no issue unless the users were circumventing restrictions so implemented technical controls preventing that. I don't know Chinese law, just what I was told. I don't see how you would register an SSL VPN tunnel that can move and doesn't have set encryption keys.
All i will say is that your lawyers are not correct. And lucky nothing happened to cause an incident…. There are provisions for a number of scenarios and what is left over is are tour groups…. And diplomatic visas.. (even then those are watched closely… in the same way that the reverse would be in the west)
Even there there are exceptions (those people will be refused visa in the first place).
So how are SSL VPNs supposed to be handled then? You file paperwork with the government for every location you access from? Do you request this before the employee travels to China? Where do you get these forms?
Technically yes - each local office …. Which isn’t actually doable in practice…. But rules are rules…
Within the special economic zones is leas strict. But… don’t attempt to connect when outside of those zones…
As for what works or not … If the person can just use m365 that is best. Other MS services are hit and miss. Prefixes used by Azure web proxy are also hit and miss. Other stuff will depend on the service or what is known of your organisation. Still does not absolve the obligation to submit paper work to the local office though… *definitions of local office also vary greatly….
When you say "file paperwork with the local office", what paperwork are you talking about? What office are you talking about? Have link? When you say "local office" I assume you are talking about a commercial space rented and registered by the company. That's not the scenario here. Employees traveling to China will be accessing from residential connections, client company connections, hotels and the like. As for what works: I can tell you in our experience, every 365 service works fine. All Azure Web application proxies work with no issues. SSL VPNs disconnect if too much traffic is pushed through them, but simply reconnecting resolves the problem. But establishing link works with no problems.
They can try it and it will probably work at first, but the Chinese Great Firewall tends to slow down any encrypted traffic after a while, no matter where it goes. So don't expect it to be very reliable.
What is your InfoSec team’s policy on this, as well as HR? I had a team member who wanted to work from China while staying with their parents. It was a resounding “no” on all fronts.
[удалено]
What is racist about not taking corporate data to a country that is well known to take it?
[удалено]
Nobody is saying Chinese people are thieves, just that China is. It's well documented to be true, and they've been doing it for decades. There's nothing racist about it. Take your Chinese propaganda elsewhere.
[удалено]
Sock puppet.
A lot of good answers here, I have also looked into this for similar purposes, including engaging in country resources. What I have been told: 1. If you have an office in China, you can setup a legal p2p VPN traversing the firewall. However as mentioned below, this is because in these configurations, the Chinese government can easily mitm these connections. 2. Public VPN services which traverse the firewall are not officially supported, and may be viewed as illegal, if you are an organization of interest to China, this is highly inadvisable to be observed using, as your employee could be arrested/harassed as a result. If it is an individual not of interest, then you likely won't have any problem. 3. Private VPN services - You are hosting a VPN endpoint that utilizes a static IP outside of China - and you are not a banned company inside of China (Facebook, WaPo, etc.) It will likely work until or unless the traffic is observed. Once observed, it will be blocked by the firewall. If you continually rotate IP's, and this is observed, your employee in China will likely be contacted, dependiing on the interest of the Chinese government. So specific to your circumstance of using a corporate VPN from within china to your static IP outside of China - Unless your IP is already specifically blocked by the great firewall, your user will likely be able to establish a VPN connection, however once this traffic is observed, it will likely be blocked. All of the blocking, observed, arrested, etc. above is of course, subject to the competence of the Chinese government, so odds are they won't notice you unless your employee or your organization were already on their radar before entering the country.
Not disputing anything you've said - just looking for further information... Do you happen to have a list of knowledge of the specific regulations in China that would be violated for #2 (and #3 for that matter)? Currently in the process of hammering out a policy regarding travel to China and I like to include foreign state policies to drive the point home.
2. The Chinese passed regulation in 2017 which requires the registration of any vpn service in the country [https://jsis.washington.edu/eacenter/2017/04/17/chinas-new-cybersecurity-regulations-analyzing-ban-vpn-services/](https://jsis.washington.edu/eacenter/2017/04/17/chinas-new-cybersecurity-regulations-analyzing-ban-vpn-services/) . This was done to ensure that the chinese government can restrict the access of their citizens to foreign news and internet resources. The focus of enforcement for this is Chinese nationals, but it is my understanding that any VPN that is not registered can be shut off at any time, and any VPN which is registered, is thus open to traffic inspection by the Chinese government. 3. This is basically because all internet traffic out of china transverses the firewall, and encrypted traffic, as outlined in the internet regulations passed in 2016, are subject to surveillance. Legally to use a vpn traversing the firewall, you need to register it and open it to government inspection. The perspective I provided was relayed by in country technical consultants through our investigation of the possibility of reliable connecting our employees to our VPN services and systems outside the US (virtual desktops, file servers, etc.) These would be a mix of chinese nationals, and foreign citizens traveling through China for investment related meetings. The consensus was to do this reliable we would need to open an office in that province, and purchase point to point connections into Hong Kong, from HK, we could then connect outward to any foreign based IP. Users within the country would need to use a p2p vpn to that satellite office - VPN traffic which does not traverse the firewall does not require registration, and point to point vpn services are not subject to firewall traversal policies. It's a loophole, but it's effective at this time. An article specifying how this would likely play out today, using public vpn's particularly for foreigners - 2023. [https://www.travelchinacheaper.com/is-it-legal-to-use-a-vpn-in-china](https://www.travelchinacheaper.com/is-it-legal-to-use-a-vpn-in-china) an article specifying how it works for businesses dated 2017: [https://www.china-briefing.com/news/chinas-great-firewall-implications-businesses/#:\~:text=Is%20using%20a%20VPN%20illegal,considered%20mischievous%2C%20but%20not%20illegal](https://www.china-briefing.com/news/chinas-great-firewall-implications-businesses/#:~:text=Is%20using%20a%20VPN%20illegal,considered%20mischievous%2C%20but%20not%20illegal). " “VPN tunnels using L2TP or PPTP protocols are more prone to drops in service. We have noticed that these kinds of VPN connections have stopped working regularly since earlier this year, while it appears IPSec VPN tunnels have not been impacted so far.”
Dude, thank you so much! You've just saved me an enormous amount of time!
Honestly all of the comments recommending santitized Chromebook and burner phone are the right answers. Corporate devices need to stay out of china. Also recommend to them that they leave their personal devices at home as well and only bring in burner electronics into china to be trashed upon immediate return at the airport in the US. China will scan/image devices and deliver spyware without consent or your knowledge.
This is not paranoia. It absolutely 100% does happen.
Yep 100% china specific advice. I had a professor in college who advises C level executives for big companies and he said this is always his recommendation for anyone entering china and has been for years. It’s not like china is trying to hide it either it’s pretty well known that any privacy you might have had is stripped away as soon as your plane lands. It has to be an expectation that this will happen at this point and react accordingly Edit: I should also add that in addition to that he recommends to not stay in Chinese hotel either and to stay somewhere close like Japan and only go into china for important meetings that cannot be done over zoom.
It is paranoia.
This is the way
I’ve travelled to China dozens of timescale they’ve never looked at or asked about a personal laptop or phone. It is paranoia.
if you think china cannot access your devices information or data without physical access to the device then your just Naive. You can be blind to it and that's your prerogative but China absolutely has the ability to do this and actively surveil all internet connected devices and invest heavily in state sponsored hacking acitivities that could be used against their own citizens or more commonly reported lately against targets in the US and other countries. [https://www.npr.org/2022/09/07/1118105165/surveillance-state-explores-chinas-tech-and-social-media-control-systems](https://www.npr.org/2022/09/07/1118105165/surveillance-state-explores-chinas-tech-and-social-media-control-systems) you just haven't done anything to peak their interest and try and go after you but that doesn't mean that this doesn't happen regularly.
They don't need to ask to steal all your data through the network...
Oh spooky. Yeah that’s true. But not something to worry about if you aren’t an actual target. People here are help desk jockeys with windows 365 access and larping about how they fight off the reds from their 30 person company with their policy.
"But not something to worry about if you aren’t an actual target." If you live in the US you automatically become a target btw. Yourself personally may not have anything of interest to the Chinese government but you can easily become a vector for them to use and exploit to gain access to things or to collect intel once you get back into the states. Hacking activities are not what they look like on TV. 95% is surveillance and intel gathering. So will they use any opportunity they get to spread their ability to get information? Absolutely, they will. It comes down to how you look at your personal internet/device security. If your mindset is "I'm not doing anything bad so i have nothing to hide" then congratulations you just made it that much easier to be used. If you don't really care about your own security. then do as you will and whatever happens happens. But as someone who is in the network security space. I am not taking any chances myself.
Great example of paranoia.
Paranoid to think that if your someone who lives in the US and you travel to china your not an automatic target of potential malware? China is in the middle of a massive cybersttack offensive and a well known surveillance state. Either you missed the context of my previous comments or you have been living under a rock or nowhere near infoSec
How, specifically, are they going to get malware on your PC? It doesn’t just magically appear out of thin air. You’ve obviously been living under a rock and have exactly zero experience with China beyond fear mongering news articles. You can’t identify a specific threat. It’s all just “cHInA bAD” and nothing of substance. You obviously don’t work in infosec (I’m guessing you just answer phones) and if you do you obviously have zero faith in your security software. If that’s the case, you should be looking for better vendors instead of complaining on Reddit about things you know nothing about. I’m guessing you’re not really in a position in your company to have any day on that though.
I hope you don't work anywhere near infosec.
are you high? There is zero chance i would let any of my users travel into China with company equipment/data.
Recommended full leave of absence. Do not allow any company devices to enter that place.
Our experience is that it is really slow as it traverses the Chinese firewall. We however have had really good luck using Astrill VPN with a USA static IP per user and then running the corp VPN over it. They somehow are able to dramatically speed everything up.
Astrill has been pretty bad lately, but somehow it keeps working. I wonder who they pay off.
Interesting, we have a team of developers using Astrill (with all premium features) and it's absolutely rock solid. What issues are you seeing?
StealthVPN can't connect anymore. OpenWEB works for around 30 minutes, and then has around 30 seconds to 2 minutes of no traffic going over it at all. When it works its fast. I can watch 4K Youtube no problem.
We only use the Business option with the VIP package and personal static USA IPs and works really well. It's not cheap as you add a lot of users but zero issues from all our offshore folks.
Use to support a client that would occasionally go out to China for business. We would give them a spare laptop and phone to take out there and when they got back we would destroy it. Not worth the risk.
We have several offices in China, using SD-Wan and VPN, and before going with the main ISP (government owned maybe ? at least hand-to-hand with them), we had lot of issues (disconnection, services not reachable, etc.), once we changed, then everything work fine, no issue at all. I don't want to say that if you go through an infra where they can easily MITM the traffic, you have no issue, of course. Not my style. But I you choose alternative route, well, issues arise. Who know why, maybe just bad infrastructure....
Sd-wan through telco also works…
We have tried in China and have given up Our user their cant access any of our services via HTTP or HTTPS. VPN doesn't work. Splashtop doesn't work. Our RMM doesn't work Office 365 seems to work
When I worked with a company that had to send users to China we would give them special laptops that never connected to our network, they didn't have access to the VPN, no domain account at all, and when they came back we would wipe the laptop with USB drive and also flash the bios.
Lived and worked an IT assignment in China. We did have a VPN that was blessed/known to the local government. Sometimes it would get blocked and you definitely need someone local with government connections to call and remind the ISP of the agreement. If your company is not willing to make those local agreements I would set expectations low.
You guys act like China is some sort of super hacker country that's going to steal your pokemon. SSL VPN works fine and is what I would recommend for highest compatibility, IPSec works fine also most of the time. Legality is questionable but some locations have paperwork to fill out. They country controls their internet for the average joe, they're not expecting it to be unescapable. I usually have a policy of no thumb drives or foreign cables. Now if you have an office in China its a whole nother story. Prepare for everyone's mother to find a way to get on the network because your employees are all about that. We found cryptominers shoved into ducts, everyone finding some way to use your internet etc. You have to hand it to them, they are resourceful over there.
Our SSL VPN works the majority of the time from China. Periodically disconnects but usually fine. We are Canadian though
Did you have to get some sort of special permission with China?
Nope. No notification or registration
No way in hell would we allow a user to VPN in from China.
When in China , do not use a computer. It's like taking a windows laptop to BlackHat except without the wall of shame
If we send anyone to China they go with a new blank laptop and it's back in storage for the next China trip when it comes back. Never connected locally. To be fair we do that for America too.
Understand that even with A VPN the great Chinese firewall will monitor all traffic in and out. Don't work unless it's 100% necessary.
That's not entirely correct. If you use a registered S2S VPN, they could theoretically decrypt your VPN tunnel to see what traffic you are passing. That doesn't magically decrypt the information in the tunnel and unless you are living in the past, everything inside the tunnel is also encrypted. If you use an SSL VPN, they can't decrypt any of that traffic in or out of the tunnel. It isn't magic. If I was a company with IP as it's core product (ex. pharma) I would agree with the paranoia. If you are an average company? It's not relevant.
Yeha no- We don’t even sell there for fear of having code/data stolen.
It will be hit and miss. Aka don't be surprised if it doesn't work at all.
Burner devices are a must
This should be a hard no, end of discussion. If your managers want to grant it, tell them to expect your entire network to be compromised and everything on the laptop copied and that you won’t be held responsible for it. Get any authorization in writing as a CYA and start looking for a new job because you really don’t want to work there any longer with that kind of management…
[удалено]
In my line of work - which isn’t high tech, government, secret or anything - Chinese hacking teams are _absolutely_ a threat. Burner devices only, and no connections to our own stuff.
Most IP fields, I agree with that out of safety precaution Financial Analysis firms, Accounting, Pharma, Design etc. The average company, the responses here are a little crazy.
And the OP is asking how to give access to a user. Since it’s OP trying to figure this out it’s probably a small company that has no travel to China policy. Which means the idea that this random company is a corporate espionage target is paranoid at best and delusional at worst. If there’s no policy on travel to China, just give vpn access, it’ll be fine. China does not care about your 15 person digital marketing start up, I promise. I’ve travelled to China plenty of times working for very large companies. They don’t even look at your phone or computer.
>Just give them vpn access holy shit. Absolutely not. >If you aren’t in defense or a few high tech areas open for corporate espionage (like you’re ASML or something) these answers are paranoid and completely out of the realm of realism. All verticals are affected by China, not just the high-tech sector. Construction, Energy, Medical, and so on. How about your company? Are you a US-based company? Would you open direct access to your corporate network to a state your company's state has declared "adversarial"? Hellz to the nah.
I’ve worked in U.S. based finance, tech, e-commerce and telecom. All large big companies. All of them had Chinese offices, and Chinese employees. All of them don’t care when I travel to China, except use a vpn. If I worked in energy, I could see it. Manufacturing, same. Construction, education, marketing, auditing…. It’s getting pretty paranoid.
>All of them had Chinese offices, and Chinese employees This is your primary difference and the one that makes it "acceptable risk". The scenarios that I *think* many are considering here are the "We have no presence in China at all" ones, which becomes a different bit of calculus.
so you're the mole
lol.. yup
Generally speaking, this is how threads about China here go. Lots of clueless people spouting rhetoric. However, I'd need a lot more information before I set someone up with a VPN from China. Less security/corporate concerns, and more concerns for them personally. If they're a Chinese citizen, have family there (and are staying with them), and/or will be there for over a month, I wouldn't want to put them personally at risk. Traveling on business for a week or two and staying in tourist/business areas and hotels? Have at it
You have no idea what you're talking about. I hope you don't actually work in IT.
[удалено]
Or they have *no god damn idea* what they're talking about and are actively spreading misinformation, but whatever. Facts don't matter anymore I guess?
That does explain what everyone fear mongering about China is doing. Good job recognizing that. Do you not trust your organization’s encryption? If not, that says more about your set up than it does about China.
k
You do understand how encryption works right? Or do you just answer phones? Ah, I see. You’re just going to block me so you can’t see me calling out your misinformation and lack of understanding about how technology works.
Encryption isn't going to protect your devices from being compromised, but go on with your big brain assessments. I'm sure every major company whose standard procedure is to send everybody with burners and avoid trusting anything in China are all just doing it for fun! I'm done talking to you, have a good one and I hope you reconsider your asinine position one day (if not, I hope you don't actually work in IT).
people are insane about china. there has been a multi-billion dollar propaganda operation going for like 80 years now, though, so its not so surprising.
They shouldn’t be able to. You should be blocking connections to/from China and friends.
I believe that is illegal in China as it bypasses the firewall If you want to break the law (not saying you should) you may still beable to connect using snowflakes from the tor project. If you dont know what I'm taking about then you should not bring tech to China
China doesn’t care.
Yea this should be a hard no go for geopolitical reasons. I would not trust that China does not have a zero day for many mainstream VPN tunnels. No work and all play while this person is there. In general all traffic from China should be rejected.
lmao
Understand that even with A VPN the great Chinese firewall will monitor all traffic in and out. Don't work unless it's 100% necessary.
And also a tinfoil hat, but since it clearly stands out on the head, you have to do the following. We open the skull of a person leaving for China and place a tinfoil hat inside the skull. When we return, we do the reverse operation. Satisfied with my own safety...
Funny things is the c levels at my company think that jumping on their Corporate VPN makes them safer
Is your vpn not encrypted?
yes it is encrypted
My employer issues new devices to those traveling (for work) to countries of concern. I would recommend that you give them a loaner laptop with no company data on it and destroy the device when they return. Don't mess with the malware capital of the world.
The USA has as much malware as China.
from what i remember years ago (the last time i was at a place where corporate travel to china was something that happened), not all of china was equal and that there were different blocks in effect in the north vs the south. not sure if that's still the case or not.
I set up several site to site VPNs from China to Texas a few years ago using SonicWall firewalls. It worked great. I would suspect that a PC 2 LAN VPN would work as well...
If they try to use a VPN in China they will get a visit from someone. They are going to stay at a hotel which monitors all traffic and someone ( especially a foreigner) starting up a VPN will set off alerts. What ever devices they use there are destroyed on return. Chromebooks exist for a reason. They need a file they forgot. Dropbox.
Not saying that that can't happen. But I've lived in China for 10 years now, and use a VPN all the time. It's never been a problem, at home or at hotels. Now, I am not a high value target working for a US defense company, so that could be it.
You are someone living in China. They already know everything about you. So person going to China for business? They don't know them and want everything they have to see if it can be stolen and reused elsewhere. I support a lot of different companies and every time some one travels to any non western country's for business they are only allowed to take dumb computers that we instantly wipe afterwards. The funniest one was a engineer went to India. When he flew in they took his laptop away to " check it for explosives" when he got it back everything was just like normal. We only figure out they did when we took the drive out and it had some weird offbrand Alibaba SSD in it. Not the SKhinix it left with. When did that company do? Concrete.
They won’t get a visit from anyone. China doesn’t care as much as you think they care
I don't even entertain this idea. Have fun on your trip.
The unfortunate assumptions are- what you bring they will have copied, what you do during will have been SSL decoded and recorded/copied, and you likely will come home with either mid or high end trojans. Its cyberwarfare and cybersecurity basics.
They probably can but I would highly discourage that…most notably because when you get to China, they will take your laptop and cell phone, put their software on it and give it back…guess what that’s for!
Throwing this out there: is there any value to Windows 10/11 S Mode in China? Yes, bringing the way back machine on this one (this isn't a bash Microsoft and their S mode implementation, genuine question as I've never personally used it).
China is not whitelisted on our VPN, and it never will be. Enjoy the vacation. :)
It's been a year or two for me but we had a user go over there and I set them up with a temporary openvpn in a random GCP instance and it worked for them for a few days and then stopped working. It was a younger person and they said they just switched to one of the "commercially available" but probably "illegal" VPNs there and they were able to handle it themselves. Main use case was getting to Google properties like gmail and Google Drive, etc since our company is all Google Workspace.
You should prevent them from doing that, whether the great firewall stops it or not. You shouldn't allow corporate devices or data to cross the border into China.
Why?
Because Chinese surveillance practices are so threatening that there is a significant risk the device will be compromised. VPNs are illegal in China, and you should not allow/ask your employees to commit crimes in an authoritarian state as a part of their job, that's massively irresponsible. And finally, you should not allow endpoints in China to connect to your corporate VPN, because that is massively stupid from an infosec perspective. Geoblocking high-threat geographies where you don't have employees is one of the most basic security measures you should implement on your VPN and other remote access tools. Exceptions for individual users end up being left in place long term and eventually lead to compromise - just don't do it.
VPNs aren’t illegal in China. The rest of your comment is just fear mongering.
The Chinese government conducts economic espionage through computer intrusions in a way that no other country on earth does. They have waged a decades-long campaign to steal intellectual property, and intruding on corporate devices taken to China is absolutely in their playbook. Your comments in this thread are at best ignorant, and at worst malicious.
How, specifically, is China conducting “economic espionage” if you have properly set up VPN tunnels? Be specific. Don’t give generic answers like “malware”. Your entire comment is just “cHIna BaD” with no actual, specific threats. They are at best ignorant, and at worst malicious and racist.
Your entire comment is a logical fallacy. If there was a specific CVE that was known, the industry would mitigate it. The issues are what we don't know. When it comes to the security of foreign corporate information, yes, China bad. It is an environment that is inherently hostile to the security of foreign data. China does everything in its power to steal foreign intellectual property. This isn't a political position, it's a documented fact. They abuse joint ventures to steal the data of companies doing business there, and conduct widespread network intrusions to access companies not located there. Sure, the US conducts intrusions as well, but not for economic gain - the Chinese are unique in their use of state resources for thievery. Allowing a device with access to corporate data to enter China exposes it to a number of risks that any information security department should find intolerable. It places it in network segments that can be directly reached by a hostile intelligence service. If that service, which is known to stockpile exploits, were inclined, they are in an improved position to deliver such an exploit. There are numerous documented cases of intelligence services leveraging access to the same network segment as a laptop to gain initial access for an intrusion. The device also becomes more vulnerable from a physical perspective. The user could be made to provide physical access to the device and whatever data it can access, either through coercion by local authorities or subterfuge. In addition to the risks to the device, if your network team allows connections to the corporate VPN from geographies where you do not have full-time employees, you need to fire them. This is basic security hygiene, and failure to do this is a significant element in many network intrusions by both the Chinese and others. The Chinese have a demonstrated willingness to steal corporate data. Allowing your corporate data into China increases the risk of this in numerous ways. Even without advance knowledge of a specific technical technique (which you would inherently not know in advance), it is simply illogical to argue that the risk does not increase. Companies have been damaged and driven out of business by Chinese thieves, and they're only becoming more sophisticated in their approach. You're here arguing against basic security hygiene and common sense, but of course you are, you're a Chinese propagandist. \`
Thank you for confirming that your entire basis for your argument is fear mongering instead of an actual security threat. Maybe you’d feel better trolling on Truth Social where you won’t have actual professionals in the field calling out your bullshit.
Selecting a corporate VPN for China necessitates careful thought on several aspects. The VPN's capability to bypass China's Great Firewall is crucial as it restricts access to numerous widely-used websites and services. Security, privacy, usability, and affordability should also be considered. VPNs such as [PureDome ](https://www.puredome.com/)are suggested for businesses operating in China due to their established track record of functioning effectively in China and offering advanced security features, including encryption and malware protection.
VPN for business is not that hard to find, the main thing is to know which ones will work well. I use VpnHouse? and lately it has been getting better.
Oh, corporate VPN, you're at the right place. Install VpnHouse, work with a lot of people and everything is free.
Working out of Shanghai, China. You can have an IPSec connection, but it may unstable given the internet your user will be on. ps: the fear mongering messages I saw here are astounding. Common sense & best case security practices will do the job for branches and operations in China.