Authors: Alexander Zierhut & Simon Lange von Zierhut IT
What Do You Need A VPN In Your Company Network?
There are many reasons for using a VPN in a company’s own network. Nowadays, the focus is primarily on topics such as intruder detection and mitigation, but also on keeping a possible attack vector small. You probably also use services in your network, such as Samba shares, which offer the possibility of encrypted transmission, but should still be rather reluctant to be publicly accessible. In this article we will mainly discuss the OpenVPN alternative WireGuard and its advantages.
What Is An Attack Vector?
In cybersecurity, an attack vector is a method or possible path that a hacker uses to access or penetrate the target system. In this context, one often speaks of wanting to reduce an attack vector. In other words, one accepts the premise that it is not possible to develop error-free software and instead tries to reduce the possible amount of errors by, for example, using less different software and standardizing processes. Again and again it is discovered after hacks that no particularly good and unknown methods had to be used after all, but that it was then due to the one forgotten server that was not documented. A typical way to increase the attack vector, rather by accident.
Old Arguments That Are Irrelevant Today
In the past, internal company services would have been made available completely unencrypted, especially because of the immensely high cost of valid TLS/SSL certificates. An attacker could thus read everything in plain text in the same network without any effort. In the meantime, corresponding certificates are available from many providers at significantly lower prices. Some of them are completely free of charge. In the past, a VPN was therefore used primarily as a cost-effective alternative to these TLS/SSL certificates.
Why You Should Not Rely On One VPN Only
A VPN is often used as access management. This means that the VPN access data is no longer used as an additional security layer, but is sometimes misused as general company access. This is a use case for which a VPN alone is neither suitable nor intended.
Especially if you rely too much on a VPN, you quickly create a “single point of failure”. What is meant is that it becomes possible to attack a complex system via a single point and, in the case of a theoretically successful attack, to cause great damage. It is also not uncommon for a simple leak of access data to be enough to render an entire company network insecure and thus unusable. In such a hack, even currently connected clients are often exposed, since the VPN is based on a bidirectional connection. All of a sudden, your printers are public.
What Is Wireguard
WireGuard is a very lean, fast and easy to configure VPN solution. By lean here is meant that the source code base is tiny compared to the usual alternative OpenVPN or IPSec. In hard numbers, this is a difference of about four thousand lines of code for WireGuard, compared to several hundred thousand for OpenVPN.1
In general, it is important to mention here that it is rarely a sole quality characteristic to use particularly many or few lines of code. The reason why few lines are considered positive in the field of VPN and IT security software is that the chance of a security-critical bug is drastically reduced. It also reduces the time and financial burden of costly security audits. Therefore, it is generally a very future-proof approach to keep system and security-critical software particularly small.
Another advantage is WireGuard’s high speed. Of course, exact performance benchmarks also depend on the algorithms and configurations used, but it can be generalized that even customized OpenVPN configurations can rarely keep up with WireGuard’s speed.2
Since March 2020, WireGuard has also officially landed in the Linux kernel and is thus pre-installed on current Linux distributions. Many others, such as Windows, macOS, iOS or Android are supported.
In summary, WireGuard has a lot to offer VPN users in many different use cases. If you are considering using WireGuard, try it out on a smaller scale e.g. a test project. It’s also important to consider how big your potential attack vector really is, so you don’t rely solely on a VPN. Evaluate the possibility of external audits for this purpose.
We also recommend the whitepaper “Post-quantum WireGuard”, where you can learn how WireGuard is and will be prepared for the post-quantum era.