The introduction of WPA3 in 2018 was one of the most extensive security upgrades Wi-Fi has ever seen. Assuming no major security breaches, it will probably be a part of internet-device security for several years to come. Considering that internet security is a continuous process, we must ask ourselves if WPA3 alone is sufficient. Large enterprises are facing an increasing number of security-based problems. What is the reason, and what can be done? WPA3 has seen flaws, and a strong firewall is purposeless in the case of a breach. Therefore, we will explore Zero Trust architecture and how we can use WireGuard to achieve Zero Trust on an enterprise-sized network.Furthermore, we will allow ourselves to think bigger and imagine how we can achieve end-to-end encryption in a Zero Trust-based global internet with Syntropy.
Zero Trust Architecture
Higher security requirements are one of the most pressing issues for enterprises in today’s digitalized world. Firewalls, switches, and routers are the main components determining if devices inside a network are trustworthy. This means blindly trusting all entities that have gained access to the network, making it vulnerable to replay attacks, rogue access points , and more. Zero Trust is a security concept introduced in a paper by John Kindervag in 2010, based on the mantra ”never trust, always verify”. Rather than trusting all the entities inside a firewall, you remove the perimeter and assume every entity is a bad actor. Instead of trusting entities to do the right thing, you verify that they are trustworthy on an application-specific basis.
Whenever a user wants to access a resource, the access is granted based on the user's identity. A goal of the Zero Trust architecture is to eliminate the concept of trusted and untrusted networks and instead label all traffic as untrusted by default. Thus, security measures must be implemented at each resource instead of just at the perimeters of the network. Consequently, access control can be done more comprehensively and detailedly, granting user access to only the necessary resources.
After grasping the concept of the Zero Trust model, the question of how it can be implemented arises. Zero Trust is a framework that can be implemented in several different ways. However, Kindervag’s paper specifies some key components, technologies, and capabilities to implement a successful Zero Trust architecture. These are summarized in three key takeaways: Least privilege access control, meaning limiting user access to the minimum necessary to mitigate unwanted incidents as much as possible. Secure resource access, assuming all traffic is a threat until authorized, inspected, and secured. Lastly, inspect and log all traffic, which means that you should verify the user's identity and verify the actual conducted traffic of the user. The Zero Trust model emphasizes the importance of inspecting the traffic and logging it. With these concepts in mind, one can probably imagine that achieving Zero Trust is difficult and can be implemented in multiple ways. I will investigate how to realize a Zero Trust network by implementing end-to-end encryption between entities with WireGuard.
WireGuard is essentially a communication protocol describing communication through network tunnels secured with state-of-the-art cryptography, as stated in their official whitepaper. The protocol is based on adding dedicated configurable network interfaces to devices and a concept called Cryptokey Routing. Each network interface is assigned a public key with a corresponding private key used for authentication. On the configuration of each interface, one can find allowed peers. An allowed peer is the public key and IP address of an entity allowed inside the interface's network tunnel.
Thus, to send a packet, the packet is sent to the WireGuard interface of the device, where it is encrypted with the public key of the receiving endpoint. After the packet has arrived on the receiving WireGuard interface, it is decrypted with the corresponding private key. The sender's IP address with the corresponding public key is cross-checked from the peer-list of the receiver, ensuring that the packet is sent from the correct sender. It would be cryptographically infeasible to forge these values. This is, of course, an oversimplified view of the protocol, which has heavy cryptographic primitives as a foundation, further described in the whitepaper. Nonetheless, the discussed functionalities of WireGuard serve as a basis to investigate how it can be used to get closer to a Zero Trust Model and how it can mitigate attack surfaces.
We can now ask the question: does the proposed network of WireGuard clients on each endpoint constitute a Zero Trust Model? Imagine a user already inside the firewalls of a network; can they freely access the servers and databases they want? No, because all entities in the network are equipped with a WireGuard client containing a list of peers that are allowed to access the given resource. The Zero Trust requirements of secure resource access and least privilege access control are met. Lastly, the network should require each device to log and inspect all traffic arriving at the interface of the WireGuard client, meeting the final requirement of the Zero Trust Model.
The described architecture is an alternative way of looking at security, removing the need to trust anyone inside a given firewall. In a resource-specific manner, it is assumed that every entity is malicious until verified that they are not. Combining WPA3- enabled devices with the Zero Trust Model will equip your network with a high level of security, even in the case of a flaw in WPA3 or malicious actors gaining access past your firewalls. We will now consider these security concepts even more prominent with these security concepts in mind. If this model can be applied to an enterprise-sized network, can it also be used on the internet as a whole? To investigate this, we will look at a real-world example of developers trying exactly that, called Syntropy.
Syntropy aims to improve connectivity and security on the internet, essentially using the exact mechanisms discussed above. It is implementing a WireGuard client on endpoints and nodes on the internet to create a Zero Trust connectivity layer with end-to-end encryption, as cited on the website. Simplified, it is done by having a mesh network of nodes and routers running WireGuard clients, in addition to a Decentralized Autonomous Routing Protocol (DARP), that makes routing decisions . The mesh network consists of nodes from people and businesses around the world.
In the backend of the system, there is a blockchain running a native token that is used for" gas" in the network. To use the network, one must run a client and connect it to the mesh network. This is similar to the network architecture discussed above, a Zero Trust Model for the internet. Sending packets is done in the same way, using the receiver's public key to achieve end-to-end encryption. The connections in the mesh network, where the routing is done, are also encrypted with WireGuard, creating another layer of security when sending data. Because the routing protocol is decentralized, autonomous, and open source, you do not have to rely on a third party for protection. You can also validate the legitimacy of the code.
Even though WPA3 is regarded as the most secure Wi-Fi-security standard, cyber attacks are still possible through faults like human error and firewall breaches. The Zero Trust Model provides us with a new way of thinking of security, with the potential of drastically mitigating network attack surfaces. Zero Trust can be achieved in multiple ways, like implementing a network of WireGuard clients. Syntropy provides us with a compelling example of how the same model can be applied to the internet, removing the need to trust third parties. I think achieving a Zero Trust Model on the internet, with end-to-end encrypted connections and autonomous, decentralized routing decisions, is captivating and worth looking further into. Hopefully, reduce the attack surface of connections and networks, creating a more secure internet. Nevertheless, it is essential to remember that information security is a continuous process that must always be monitored and improved. It remains to be seen if the internet will be revolutionized in such a manner. I at least know one thing: we have exciting times ahead.