Introduced in the 1990s, Internet Protocol Security (IPsec) is the traditional site-to-site virtual private network (VPN) method. It was originally used for remote access VPN as well, but proved difficult to implement due to the need for key distribution and the tediousness of managing Access Control Lists (ACLs). IPsec is deployed point-to-point or hub-and-spoke, making expansion difficult as users and systems are distributed.
Secure Sockets Layer (SSL) was introduced to solve some of these problems and became IPsec’s main competitor as a VPN protocol. SSL has been growing in popularity, especially for remote access VPNs. The SSL protocol was replaced by a successor technology, Transport Layer Security (TLS), in 2015, but for our purposes here the terms are interchangeable.
Libraries for the above, such as OpenSSL, have existed for a long time and have been used by many vendors. However, such libraries have typically evolved slowly, are prone to vulnerabilities, have poor performance, or a combination of these limitations. This is how open-source software and protocols like WireGuard were introduced.
Let’s look at why Banyan Security uses WireGuard to be the only ZTNA-only provider to offer tunneled access through our service tunnel along with no-tunnel proxy access.
It’s true that IPSec and SSL/TLS have been around for a long time and have a huge installed base. These protocols support myriad authentication mechanisms and cryptographic protocols and ciphers. However, such a long existence means huge codebases that have not necessarily been well maintained. A lot of code has been written for both and that means a lot of small bugs have crept in and each of them can and will be compromised. WireGuard was designed and implemented to be much simpler, cleaner and faster. Linus Torvalds, the creator of Linux, said it was the best protocol and introduced it to the Linux kernel in 2020.
In a published email to David Miller, the main maintainer of the Linux network stack, Torvalds wrote: “Can I once again express my love for this and hope that it will be merged soon? Maybe the code isn’t perfect, but I skimmed it and compared to the horrors of OpenVPN and IPsec it’s a work of art.” See https://lists.openwall.net/netdev/2018/08/02/124
However, since WireGuard’s goal is to be simple and have a small interface, it lacks many features expected of an enterprise-grade VPN solution, especially one that champions Zero Trust principles –
- Authenticates using static keys only. WireGuard does not include mechanisms such as client certificates or JWT (JSON Web Tokens) that enable strong authentication via short-lived credentials.
- No firewall policies. With WireGuard, you cannot control which resources a client can access.
- The client does not validate the device. You can use any valid key and the client will connect. No device trust required to ensure enterprise security standards.
- The server needs an incoming static IP address and open ports. Many private networks, such as B. your home WLAN or even a corporate data center, do not allow this easily.
Banyan Security has addressed these limitations and made WireGuard the foundation of a true Zero Trust-enabled solution. In other words, we make WireGuard safe and easy. Our enhanced version of WireGuard rotates the static keys. User authentication has been enhanced to enable multi-factor authentication (MFA), single sign-on (SSO), and validate both device identity and trust. With our connector, you can provide tunnel-based connectivity anywhere without the need for a static IP address. To further improve security and reduce the attack surface, we use iptables to set up Layer 4 policies, which means we provide granular access to only the IP addresses, ports, and protocols required for access – no more.
But that’s not all. We have other improvements like tunnel visibility. For organizations migrating from Layer 3 tunnels, enabling tunnel visibility means understanding what resources your users are accessing and then being able to quickly create detailed tunnel access policies. Also, we will introduce point-to-point connectivity with NAT traversal, which means you can bring your hybrid environment together quickly, giving you another good reason to get rid of that legacy edge firewall. Finally, to address the limitation of WireGuard and firewalls that block non-443 traffic, Banyan WireGuard tunnels over HTTPS.
In summary, when done properly, tunneled access can be performed safely and securely with a Zero Trust Network Access (ZTNA) solution.
The Why WireGuard is Better than IPsec and SSL for ZTNA post appeared first on Banyan Security.
*** This is a syndicated blog from Banyan Security’s Security Bloggers Network, written by Ashur Kanoon. Read the original post at: https://www.banyansecurity.io/blog/why-wireguard-is-better-than-ipsec-and-ssl-for-ztna/