Traditional VPNs, based on pizza box style devices, leverage the IPSec suite of protocols for authentication and encryption. The same is true for several of the SSE vendors in the marketplace today. IPSec operates at the network layer, making it versatile for various applications, including site-to-site VPNs and remote access scenarios. IPSec comprises several components:
- Internet Key Exchange (IKE): Handles security associations and key management
- Encapsulating Security Payload (ESP): Provides encryption for data confidentiality
- Authentication Header (AH): Ensures data integrity and authenticity but does not encrypt the payload
Despite its utility and widespread adoption, IPSec’s utility and complexity also is its weakness. Its origins extend into the decade of the 1990s, and as a result, its extensive code based often exceeds 400,000 lines of code built up over three decades. Let’s be honest, the technical debt has piled up. As a result, this leads to challenges in configuration and maintenance. More importantly, it makes auditing and vulnerability assessments challenging.
Is there another option you should be considering? There is. WireGuard. This is a relatively recent addition to the VPN landscape. WireGuard emerged around 2015. Looking back on two decades of IPSec, the designers targeted the development of a simpler, faster, and more secure alternative to existing VPN protocols. For speed, WireGuard operates at the kernel level, integrating directly into the operating system’s core for enhanced performance. Its minimalist design philosophy results in a codebase of approximately 4000 lines, significantly reducing the attack surface and making auditing more manageable.
Let’s get into the technical details. WireGuard utilizes state-of-the-art cryptographic primitives:
- ChaCha20: For symmetric encryption, offering comparable security to AES but with better performance on certain hardware
- Curve25519: For key exchange, ensuring secure and efficient session establishment
- BLAKE2s: For hashing, providing fast and secure message digests
- Poly1305: For message authentication, ensuring data integrity and authenticity
The result? A modern and more efficient cryptographic technique that enhances both security and performance.
Why should you be looking at WireGuard for SSE?
Performance—WireGuard operates inside the kernel space and thus produces efficient cryptographic algorithms. How much? Measured against IPSec, WireGuard achieves lower latency and higher throughput compared to traditional VPN protocols. Performance tests have demonstrated a 13% higher throughput than IPSec using AES-GCM encryption and a 75% improvement over OpenVPN.1 Additionally, WireGuard exhibited 77.5% lower ping responses than IPSec and a 74% reduction in latency compared to OpenVPN.2
Simplicity—WireGuard’s slim design translates to straightforward configuration and deployment. On the other hand, IPSec can be complex to set up due to its numerous configuration options and modes. With WireGuard, you gain simplicity. This reduces the likelihood of misconfiguration, a common source of security vulnerabilities. Furthermore, WireGuard’s lean codebase facilitates easier auditing and maintenance.
Security—WireGuard provides a fixed set of modern cryptographic protocols. It does not support legacy, heritage cryptographic suites from decades ago. As a result, only the most secure and efficient algorithms are used. This greatly reduces the attack surface and enhances overall security. Another advantage is WireGuard is easily upgraded to quantum resistant algorithms such as Kyber. When thinking about the future, this will become a critical item for companies as we enter the next decade.
Mobility and roaming—Where WireGuard stands out is in remote access scenarios, especially with mobile clients. Why? Maintaining a stable VPN connection across changing networks is a challenge for heritage solutions. This is where WireGuard excels. In the modern networks, devices and users are highly mobile and constantly roaming between different IP addresses. Keep in mind, this was not the case in the late 1990s when IPSec was designed. Devices were static and wireless was still in its infancy. Today, users and devices move between networks (from Wi-Fi to cellular and back). WireGuard was designed with this mind. It can maintain the VPN session without reestablishment, providing a smoother and more reliable user experience.
Resource efficiency—WireGuard’s efficient design results in lower CPU usage and power consumption, which is particularly beneficial for devices with limited resources, such as smartphones and Internet of Things (IoT) systems. This efficiency does not come at the expense of security or performance. This makes WireGuard an attractive option for a wide range of devices we leverage in the modern workplace.
HPE Aruba Networking SSE and WireGuard integration
Where HPE Aruba Networking SSE stands alone against it the major SSE vendors is its use of WireGuard vs. IPSec. In 2018, as HPE began designing the HPE Aruba Networking SSE platform, the company reviewed past and future trends to understand the landscape. While IPSec is supported as a connectivity method to the HPE Aruba Networking SSE cloud, the design team realized that the industry needed to move forward on the client side and opted to be future forward with WireGuard. Thus, within this architecture, WireGuard plays a crucial role by establishing secure, high performance tunnels between endpoints and points of presence (PoPs). The SSE agent utilizes WireGuard to connect to multiple PoPs, facilitating efficient traffic routing and enhancing overall network performance.
Smart routing with WireGuard
Resiliency and speed play a critical role in today’s networks. How do you gain both? A distinctive feature of HPE Aruba Networking SSE is its smart routing capability. This mechanism provides mesh connectivity from the agent to the SSE PoPs. The default option connects the SSE agent to all PoPs. There is also an option to connect to a list of predefined PoP as well. By employing WireGuard tunnels, smart routing dynamically evaluates network conditions, such as round-trip time (RTT), to determine the optimal PoP for each flow. If you need real-time connectivity (voice or video), the low latency path is selected. If you are doing a large file transfer, the path with higher bandwidth is selected. This dynamic selection process offers reduced latency and boosts throughput, thereby enhancing the user experience. Smart routing also provides high resiliency. If a PoP is experiencing congestion, the path is automatically rerouted to the next best available PoP. This happens in real time; there is no need for admin intervention.
Conclusion
If you are starting your evaluation of SSE or experience the pain of legacy solutions or still supporting traditional remote access VPNs, start looking into WireGuard. It represents a significant advancement in VPN technology, offering superior performance, security, and ease of use compared to traditional protocols like IPSec. Don’t accept the traditional solutions that include legacy technical debt and thus impact performance and security. Rather seek a modern approach, such as HPE Aruba Networking SSE. Ask the questions, do your research, and then take WireGuard on a test drive.
John_Spiegel
John Spiegel is Director of Strategy and Field CTO for the Axis Atmos SSE platform, powered by HPE Aruba Networking. He has 25 years of experience running global networks and managing infrastructure. He is an industry pioneer in software defined networking (SDN) and software defined WANs (SD-WAN). When not helping companies on their journey to modernize and secure their networks, John can be found cycling on the backroads of Oregon.
