It’s easy to underestimate the impact of complexity on an average enterprise-level organization’s security strategy. Solutions like firewalls, multi-factor authentication, traffic encryption, DNS security, and more are carefully orchestrated to together defend against any and every type of attack, yet the “security sprawl” approach is getting a lot of bad press in the industry lately.
As IT teams struggle to manage the exposure resulting from a growing number of security tools, endpoints, and attack vectors, simplification is a prerequisite to defense. Efforts to streamline have resulted in the embrace of consolidated cloud solutions like SASE, which enable more manageable security tactics like Zero Trust. Simpler also applies to encryption with the WireGuard protocol.
What is WireGuard?
Originally developed by Jason Donenfeld, WireGuard is one of the most relevant examples of how simplicity can transform and improve upon the oldest parts of the status quo: secure network traffic. In a time when more people are working remotely, secure access to organizational resources has spiked as well, leading to widespread adoption of traditional VPNs.
Yet these solutions and the older encryption protocols they use – OpenSSL and IPSec, for instance – are relics of the past. They are overengineered and ill-equipped to gracefully handle our collective traffic in the “work from home” era, hard to set up, and known to suffer from crashing or hanging tunnels when burdened by too many clients at once.
WireGuard is a speedier and more flexible encryption protocol that has until now been merely a third-party addition to many security solutions. Standing next to other commonly-used VPN implementations, WireGuard is significantly smaller in terms of raw code, at just 4,000 lines versus the 600,000 that make up OpenSSL, or the 400,000 lines of code inside an IPSec VPN installation.
That it’s two full orders of magnitude less heavy gives WireGuard a relatively tiny attack surface, and enables it to be audited quickly by a single security professional rather than teams of them. And fully audited it is: by countless security researchers and professionals. While this means a lot less can go wrong, and fewer flaws can be found, it also means that WireGuard is much simpler to set up.
Besides being astonishingly basic, WireGuard also uses stronger and more modern cryptography, which despite its smaller cryptographic keys, gives it unique advantages and makes it likely to replace other protocols as the foundation for a new era of performance-centric traffic privacy.
Benefits of WireGuard
WireGuard’s addition to the default Linux kernel in March 2020 comes just in time. This is because it has already proven the gold standard of encryption, being both simpler and stronger than alternatives, and useful for a time when VPN usage is through the roof.
Now that WireGuard is available in all operating systems, downstream users and solutions will be able to benefit from its smaller attack surface, easy configuration, stronger algorithms, faster connections, and stealthier operation.
Easy Configuration: The point of WireGuard is that its configuration is just about the least amount of data necessary to create an encrypted tunnel. Streamlined in its genetic makeup, WireGuard abandons the concept of “cryptographic agility”, meaning there is no choice of different encryption, hashing, or key exchange algorithms. Its limited yet thoroughly audited cryptographic primitives are very difficult to set up incorrectly.
Fewer configuration options means that less needs to be negotiated between the client and the server in order to create a secure tunnel. Accordingly, less is observed about the connection for hackers operating a Man in the Middle attack, and less can go wrong in the orchestration of WireGuard with one’s technology stack.
Stronger Algorithms: In place of cryptographic agility, WireGuard relies on crypto versioning, which means that if one of its foundational primitives is compromised, a new version of WireGuard (2.0, for example), can quickly be agreed upon by the client and server rather than negotiating each primitive or key one-by-one. The basic cryptographic primitives that WireGuard relies on are as follows:
- Symmetric Encryption: ChaCha20 authenticated with Poly1305. This is better performing than AES, especially on embedded CPUs which don’t accelerate cryptographic hardware.
- Elliptic Curve Diffie-Hellman (ECDH): Curve25519
- Hashing/Keyed Hashing: BLAKE2s, which is faster than SHA-3.
- Hashtable Keys: SipHash24
- Key Derivation: HKDF
Faster Connection: The long handshake time common among OpenSSL VPNs, for example, begs the addition of text inside the client that assures users that “something” is happening while they wait. WireGuard’s own benchmarks show that connection time and connection speed are both up to four times faster than alternative protocols on the same hardware. This also means that if the connection drops (a lower chance of this happening as well), that reconnection takes significantly shorter, and you’ll be back in your tunnel almost without realizing anything occurred.
Stealthier Operation: WireGuard is designed to run unobtrusively, and even to hide its presence against network scans. Since the protocol doesn’t respond to packets from unrecognized peers, it’s difficult to tell that it’s even there. Moreover, peers are able to act as both clients and servers at the same time, and can silence their connection when data isn’t being transferred between them.
A New Standard for a New Era
At a time when VPNs are the bare bones security solution for remote access, and the en masse transition to working from home is still in full swing, reinforcing security ideas with simpler and stronger pillars (like encryption) is a must. It’s no coincidence that WireGuard made its way into the Linux kernel during the peak of the COVID-19 pandemic, but it will prove useful well into the future and slowly replace alternatives. It’s rare that a shift in the security landscape has such a drastic impact on end users, making it hard to overstate the importance of WireGuard’s rise.