WireGuard – A Next-Gen VPN

~~   Forward   ~~

Why would we need another VPN when we already have IPSEC, PPTP, L2TP, OpenVPN, and an array of proprietary SSL VPNs?  After all these are tried and true and exhaustively tested.  But are they really, exhaustively tested?

WireGuard has around 4,000 lines of code  —  compare this with 600,000 lines of code for OpenVPN plus OpenSSL, or 400,000 lines of code for XFRM plus StrongSwan for an IPSEC VPN.  How can such huge code have all aspects fully tested, honestly?  WireGuard’s two orders of magnitude fewer lines of code means a lot smaller attack surface to have flaws in.  Reducing attack surface is the same principle used by micro-kernels, and is a cardinal principle of information security.


The Immutable Filesystem — Vastly Reducing Attack Surface

I am working on a novel approach to security by generalizing read-only filesystems in Linux, to prevent malware from modifying files or establishing a foothold in systems.  As far as I know this is a first in InfoSec.  When the whole operating system is set to read-only no changes can be made where it matters, even if the malefactor manages to get root.  This will greatly reduce the attack surface of any system without interfering with its ability to function.

bigdataIn almost all OS installs, system-critical directories and files are set to read-write, at least by root.  Why?  There’s no need.  I say this is unnecessary and leaves open many avenues of attack which are exploited time after time.  An immutable filesystem will eliminate almost all attacks by most of the hacker community, and even makes things difficult for nation-state malefactors.  Oh sure, it’s still possible to inject malware into memory, but that exists anyway and is a different problem.  An old axiom is ‘Good Security is Layering‘.  The Perfect, should not be made the enemy of the Good — and those who make it so end up with nothing.


Securing eMail With D.A.N.E.

Some day I’ll get time to do an article on setting up a complete email server with the most advanced security and spam protection, but for now we’ll focus on DNS-based Authentication of Named Entities (DANE).  Of all the methods of securing email, DANE is the most comprehensive and advanced to date.

In a nutshell, DANE is a way of to authenticate TLS client and server sessions (for both web and email) without the need of a Certificate Authority.  DANE has become more popular in recent years due to security breaches of some Certificate Authorities, which allowed encryption certificates to be issued to non-domain owners for malevolent purposes.  DANE provides an independent means of checking certs to make sure of their provenance, and therefore that the session is secure.


Universal Encrypted Data In Transit – RHEL

Most companies today use Virtual Private Networks for remote users to connect with the enterprise, but few companies encrypt network traffic internally.   So why would universal encryption be a good idea?   Because perimeter defenses have become so good that most security breaches these days have happened when the instigator is already inside the system, as with phishing, SQL injection, or buffer overflow incursions.   Once inside, and with privilege escalation or a vulnerable switch, they can then monitor all traffic.

But let’s back up for a minute and consider VPNs.   A VPN is a ‘tunnel’ within the datastream which carries its data, isolated from the rest of the datastream by encryption.   It is only a ‘virtual’ tunnel since all the data is there with the rest of the crowd, but it is logically isolated from other packets as it is not cleartext.   The headers for its packets describe where it’s coming from, where it’s going, which packet it is in its stream, and information on the encryption, but the payload of each packet is encrypted using the cipher, hash, handshakes which were agreed to by both ends at the beginning of the session.   IPSec is not traditional encapsulation, where a packet is wrapped in an encryption protocol, which may be wrapped in yet another protocol.   IPSec flows in transport mode as normal packets, only encrypted.


Saving An Echo

My Echo SRM-2100 line-trimmer has given very good service in the ten+ years I’ve owned it, from fully mowing my half-acre yard when I lived in the cabin on 123rd St, to the limited lawn I have now.   Commercial-grade (straight-shaft) Echos have a very good reputation for durability, and a low exhaust note which is less annoying.

But lately it’s been hard to start, and simply would not idle;   I have to hold the trigger all the time.   These symptoms are usually related to fuel delivery, maybe a clogged idle circuit.   Well it’s been faithful for a long time, so maybe it’s time for it some love.