Internet Protocol Security (IPsec) was introduced in the 1990s and is the traditional site-to-site Virtual Private network (VPN) method. It was also initially used for remote access VPN but proved difficult to deploy since key distribution was needed, and managing the access-control lists (ACLs) was a pain. IPsec is deployed point to point or hub and spoke making it hard to expand when users and systems become distributed.
Secure Sockets Layer (SSL) was introduced to address some of these issues and became IPsec’s major rival as a VPN protocol. SSL became increasingly popular, especially for remote access VPNs. The SSL protocol was replaced by a successor technology, Transport Layer Security (TLS), in 2015, but for our purposes here, the terms are interchangeable.
Libraries for the above, such as OpenSSL, have been around for a long time and have been used by many vendors. However, such libraries have been typically slow to evolve, open to vulnerabilities, low performing, or a combination of these limitations. Thus, open-source software and protocols such as WireGuard were introduced.
Let’s look at why Banyan Security leverages WireGuard to be the only pure-play ZTNA vendor to offer tunneled access using our Service Tunnel, along with proxied, tunnel-less access.
It’s true that IPSec and SSL/TLS have been around for a long time and have a huge installed base. These protocols support tons of authentication mechanisms and cryptographic protocols and ciphers. However, being around for so long means huge code bases that have not necessarily been well-maintained. There’s been a lot of code written for both and that means that lots of little bugs have crept in and each one of these can and will continue to be compromised. WireGuard was designed and implemented to be much simpler, cleaner, and faster. Linus Torvalds, the creator of Linux, said it was the best protocol to use and merged it into the Linux kernel in 2020.
In a published email to David Miller, the primary maintainer of the Linux networking stack, Torvalds wrote “Can I just once again state my love for it and hope it gets merged soon? Maybe the code isn’t perfect, but I’ve skimmed it, and compared to the horrors that are OpenVPN and IPsec, it’s a work of art.” See https://lists.openwall.net/netdev/2018/08/02/124
However, because WireGuard’s goal is to be simple and have a small surface area, it lacks many capabilities expected from an enterprise-caliber VPN solution, especially one espousing zero trust principles, must have –
- Only authenticates via static keys. WireGuard does not include any mechanisms, such as client certificates or JWT (JSON Web Tokens), that enable strong authentication via short lived credentials.
- No firewalling policies. WireGuard does not allow you to control what resources a client can access.
- Client does not validate the device. You can use any valid key and the client will connect. No device trust needed to ensure enterprise security standards.
- Server needs an inbound static IP address and open ports. Many private networks, such as your home Wi-Fi, or even a corporate datacenter, do not easily permit this.
Banyan Security has addressed these limitations, making WireGuard the foundation of a true zero trust-enabled solution. In other words, we make WireGuard secure and easy. Our enhanced version of WireGuard rotates the static keys. User Authentication has been enhanced to enable multi-factor authentication (MFA), single-sign on (SSO), and validate both device identity and trust. Our Connector allows you to deploy tunnel-based connectivity anywhere without requiring a static IP address. To further enhance security and reduce attack surface, we use iptables to set up Layer 4 policies which means providing granular access to only the IP address, ports, and protocols needed for access – nothing more.
But that’s not all. We have more enhancements coming such as tunnel visibility. For organizations migrating from Layer 3 tunnels, enabling tunnel visibility means understanding what resources your users are accessing and then being able to quickly craft granular tunnel access policies. Also, we’ll be introducing point-to-point connectivity with NAT traversal which means the ability to bring your hybrid environment together quickly giving you another good reason to get rid of that legacy edge firewall. Last, to address the limitation of WireGuard and firewalls blocking non-443 traffic, Banyan tunnels WireGuard over HTTPS.
In summary, when done correctly, tunneled access can be performed safely and securely with a Zero Trust Network Access (ZTNA) solution.
The post Why WireGuard is Better than IPsec and SSL for ZTNA first appeared on Banyan Security.
*** This is a Security Bloggers Network syndicated blog from Banyan Security authored by Ashur Kanoon. Read the original post at: https://www.banyansecurity.io/blog/why-wireguard-is-better-than-ipsec-and-ssl-for-ztna/