Posts

WireGuard – A Modern-Day VPN Protocol

VPN protocols have been around for decades now; over 20 years when you consider IPsec and OpenVPN. But now there’s a new VPN protocol that’s lightweight, super fast and highly secure. It’s called WireGuard, and there are several reasons you’ll want to consider this modern VPN protocol.

WireGuard: The Newest VPN Protocol

WireGuard is still very nascent and hasn’t yet endured the stress testing that time provides. Nonetheless, WireGuard has already proved itself worthy. It was integrated into the Linux kernel in 2020 and the Windows kernel in 2021, and since that time, WireGuard has performed impressively and shown no signs of any security weaknesses.

This modern VPN protocol uses the latest in cryptography, including Noise Protocol key exchange, Poly1305 authentication and the latest encryption ciphers like ChaCha20. Moreover, WireGuard abandons TCP tunneling in favor of the UDP protocol for fast, stateless connections (more on this later) and also makes no bones about the fact that UDP is easily intercepted.

On their site, WireGuard indicates the protocol is designed for “solid crypto” and is not geared for obfuscation. This is an important distinction: WireGuard contends that their VPN protocol is focused on encryption, and that it’s up to you to add additional controls for privacy — something they contend should happen a layer above WireGuard.

WireGuard Works Great with Mobile

WireGuard has several features that make it unique. As mentioned previously, WireGuard makes a radical departure from TCP tunneling in favor of UDP for better performance. The gains are seen not only with lightning-fast network speeds, but with better performance when it comes to mobile connectivity. TCP-based tunnels struggle and sometimes even disconnect when users regularly move between networks; this is due to the stateful nature of these protocols as they maintain active connections. WireGuard is superior because its stateless nature (UDP) makes it capable of dealing with regular network changes, and thus more reliable.

Mobile connectivity is a major consideration due to the growing number of remote, hybrid and flexible work environments. There’s a large percentage of employees who are using mobile devices — whether BYOD or managed — and that number will continue to grow. As a result, it’s prudent for any organization to support the most widely used platforms and devices, including Windows, macOS, Android and iOS.

WireGuard is cross-platform and supports iOS — which, in my opinion, is a critical device platform to support. A VPN infrastructure that does not support iOS is probably not a modern-day remote networking solution.

Wait, there’s more…

The WireGuard protocol has several advantages that make it worthy of consideration:

  1. The codebase is small compared to legacy VPN protocols, which can exceed hundreds of thousands of lines of code (LOC). WireGuard sports around six thousand LOC, which makes auditing and maintenance a breeze. Additionally, the smaller footprint reduces the opportunities for hackers to exploit.
  2. The protocol is open source, making it less susceptible to vulnerabilities going unchecked. Reviews for readiness, benchmarking and assurance have been and continue to be carried out by professional researchers as well as the private sector.
  3. The lightweight design and reliance on UDP deliver faster throughput speeds and reduced latency when compared to any other VPN protocols.
  4. As WireGuard is stateless, active connections are not maintained. This prevents eavesdropping on the connection link and provides superior mobile device connectivity and reliability.
  5. Strict crypto settings make for easy implementation and remove the risk associated with complicated configuration settings, which can end up disrupting traffic and, ultimately, productivity.
  6. Auto-updating code! If a flaw is found in any cipher, all endpoints are forced to update to a new version ASAP.
  7. WireGuard supports iOS — a major platform for the modern work environment!

Not Without Limitations

WireGuard has its share of disadvantages and challenges, to be sure. In its current, out-of-the-box setup, the default state stores your IP address. This makes your server identifiable, a big no-no when it comes to no-log or “logless” VPN services.

As mentioned before, WireGuard is not about privacy or obfuscation, and is therefore also vulnerable to censorship. Layers of obfuscation must be built on top of WireGuard to provide better privacy. The good news is that WireGuard is already offered by several VPN vendors and service providers who have solved the zero-log-keeping policy and have built the layers of obfuscation necessary for privacy compliance.

All things considered, WireGuard has delivered on its core mission of “solid crypto” and does so at blazing speeds. With its excellent data encryption security, solid connectivity across all platforms including mobile (iOS can’t be overlooked), and super-fast speeds, WireGuard is a worthy modern-day VPN protocol.

Coronavirus Affecting Business as Remote Workforces Expand Beyond Expected Capacity

The novel coronavirus epidemic is a major global health concern. To help prevent the spread of the new virus, organizations, businesses and enterprises are protecting their workforce and allowing employees to work remotely. This practice helps limit individual contact with large groups or crowds (e.g., restaurants, offices, transit) where viruses can easily spread.

As such, ‘stay at home’ is a common phrase in many health-conscious regions this week. According to the BBC, the city of Suzhou said businesses would remain closed until Feb 8, if not longer. As of 2018, Suzhou had a population of more than 10.7 million people.

On Jan. 30, the World Health Organization labeled the outbreak as a global health emergency. In response, the U.S. Department of issued a Level 4 travel advisory to China (do not travel).

Precautions like these are causing unexpected increases in mobile workers; many organizations don’t have enough virtual private network (VPN) licenses to accommodate the increase of users. This is a serious risk as employees will either not have access to business resources or, worse, they will do so via non-secure connections.

Organizations and enterprises in affected areas should review their business continuity plans. The National Law Review published a useful primer for employers and organizations managing workforces susceptible to coronavirus outbreaks. In addition, leverage SonicWall’s ‘5 Core Practices to Ensure Business Continuity.”

What is the coronavirus?

Coronavirus (2019-nCoV) is a respiratory illness first identified in Wuhan, China, but cases have since been reported in the U.S., Canada, Australia, Germany, France, Thailand, Japan, Hong Kong, and nine other countries. In an effort to contain the virus, the Chinese authorities have suspended air and rail travel in the area around Wuhan.

According to Centers for Disease Control and Prevention (CDC), early patients in the outbreak in China “reportedly had some link to a large seafood and animal market, suggesting animal-to-person spread. However, a growing number of patients reportedly have not had exposure to animal markets, indicating person-to-person spread is occurring. At this time, it’s unclear how easily or sustainably this virus is spreading between people.”

The latest situation summary updates are available via the CDC: 2019 Novel Coronavirus, Wuhan, China.


Work-from-Home VPN Solutions for Remote Workforces

To help organizations cost-effectively implement VPN technology for their rapidly expanding work-from-home employees, SonicWall is making its remote access products and services available to both new and existing customers via deeply discounted rates. We’re also bundling critical security solutions for new enterprise and SMB customers.

This special offer provides free Secure Mobile Access (SMA) virtual appliances sized for enterprises and SMBs, and also includes aggressive discounts on Cloud App Security and Capture Client endpoint protection when paired with SMA.

These packages were bundled to include everything needed to protect employees outside the network:

  • Free Secure Mobile Access (SMA) virtual appliance
  • Aggressive discounts on Capture Client endpoint protection
  • Aggressive discounts on Cloud App Security
  • Aggressive discounts on support contracts and Remote Implementation Services when you bundle a virtual appliance
  • New 30- and 60-day VPN spike licenses for existing SMA 100 and 1000 series customers

Ransomware Can Cost You Millions; Is Your Network Secure?

Recently it was reported that in April 2016 an employee at Michigan-based utility company BWL opened an email and clicked on a malicious attachment laden with ransomware. The result? It shut down accounting and email systems as well as phone lines, which lead to a costly and laborious week of recovery.

The cost? $2.4 million.

Let That Sink in for a Second.

In a separate case, the $800K ransom heaped upon the City of Detroit by hackers in 2014 served as an anecdotal warning of the potential for this class of malware.  But in the BWL case, only $25K was actually paid to the attackers with 99 percent of the costs related to technology upgrades and people responding to the attack.  To save you on the mental math, the actual ransom was about 1 percent of the total costs. This could be the setting for a modern proverb based on For Want of a Nail.  The silver lining is the improvement of the utility’s security and the overhaul of its IT communication policy.

What Does This Teach Us?

For all the talk of cost of the ransoms levied upon victims, the impact is much greater.  In this example, it cost the organization in lost business, impact to the customer experience, and even more on the human resources side. It also serves as a poster child for ineffective spam management and phishing prevention.  Ultimately this problem is happening around the world and despite the best intentions at stopping ransomware, it still persists.

What Do You Do If You Are Hit?

First of all, don’t panic.  By default, you need to consider not paying the ransom and find a way to restore systems and data without giving in.  Otherwise, it’s like feeding a feral cat; hackers will be found on your doorstep the next day. Simultaneously, you need to restore systems, discover the point of origin, and stop follow-on attacks.  This is where the backup and security stories combine.

In the case of BWL, it took a lot of human resources and two weeks’ worth of time, most likely because the utility was not prepared for this type of attack.  In your case, find the point of origin and restore a backup from before that event.

But What About Stopping Follow on Attacks?

Before the Firewall

I would like to say that out there is a single solution that will solve this but that isn’t completely true.  In short, the answer is education, security and backup.  The first thing to do is to build the human firewall; teach your employees not to click on attachments or links in suspicious emails, especially if you deal with payments.  This is just the first step; a recent Barkly study stated that in their data set, 33 percent of ransomware victims had already undergone security awareness training.

Additionally, think long and hard before hanging “blamable” employees out to dry.  It may be shortsighted to fire or reprimand an employee for unleashing malware unless they were clearly going outside the boundaries of ethical/lawful internet usage (e.g. browsing adult sites, downloading pirated material, etc.). In many cases, ransomware comes through a cleverly crafted phishing email, and given the fact that BWL’s accounting and email systems were taken offline, I’m assuming an accounts payable person opened an attachment from a hacker with an “unpaid invoice.”

When it comes to technology, you need to have a multi-layered approach to eliminate malware as it approaches your environment.  Look at the image below and you can see how SonicWall stops ransomware via web and device traffic.  In the case of watering hole attacks (e.g., downloading malware from a website), SonicWall Content Filtering Service (CFS) blocks millions of known malicious sites to help remove major sources of pulled malware from the equations.  After this, deploy SSL/TLS decryption to help you see all traffic.  Four years ago, the percentage of traffic being encrypted was very low by comparison today.  Forget the advertised malware-catch-rate of a vendor’s firewall and sandbox; if they can’t inspect 50 percent of traffic, it’s like locking and guarding the front door while leaving the backdoor open.

The Firewall and Capture ATP

If you are using SSL decryption, now all of the traffic coming into your organization can be viewed by your firewall.  Hopefully, this is a modern device that can inspect every byte of every packet to look for threats and approve files quickly.  In the case of device traffic, it hits the firewall and should be directed to your mobile access or VPN appliance to decrypt data and control access to only approved device IDs.  This traffic should be sent back to the firewall to begin its journey along with web traffic, through a gauntlet of rapid security measures.

The firewall and VPN appliances are the hardware portion of the equation with the firewall being the keystone of it all.  Firewalls are defined by their services because they do a lot of the work at removing malware from your internet traffic.  Traditionally, gateway security and anti-virus follow the firewall looking for malware based on a set of signatures; meaning this is how you eliminate known malware.  Point in case, SonicWall eliminated nearly 90 million ransomware attempts in the month of May 2016 using this same technology. Malware is used over and over again and may be seen thousands of times within an hour of its release.  Leveraging a cloud-based signature engine will enable you to have better protection against newer threats.

After going through gateway security, many networks leverage a network sandbox, which is an isolated environment to run suspicious code to see what it does.  This is where a lot of unknown malware is discovered and stopped.  Network sandboxes have been around for a few years now but hackers have found ways to design malicious code to evade their detection, which is why some analysts recommend leveraging multiple sandboxes from multiple vendors to see as much as you can.  I recommend using SonicWall Capture Advanced Threat Protection (ATP) multi-engine sandbox that combines virtualized sandboxing, hypervisor level analysis and full-system emulation to help see what potential malware wants to do from the application, to the OS, to the software running on the hardware.  Since ransomware variants are redeveloped throughout their lifecycle, it is important for sandboxes to create cloud-based sharable hashes for every version possible to block follow-on attacks and shorten the lifespan of ransomware. Through this process a lot of malware is scrubbed out from the point of origin to the server.

Endpoints and Backup

Although this setup is highly effective, you will need to maintain a healthy endpoint protection strategy.  Anti-virus for endpoints is still important, but today it is easier to manage than before.  Leverage an enforced anti-virus technology that doesn’t allow employees to access the internet through a web browser without up-to-date endpoint protection.  In these cases, employees are directed to a download page to update their anti-virus software before they can go and click on that suspicious link in email.

Lastly: back up, back up, and back up some more.  Ransomware exists because organizations keep paying the attackers for their data.  If a ransomware attack evades the common sense of people and the fortifications of your security infrastructure, you can simply wipe the device or server clean and refresh from your back up.

Download our solution brief: How to protect against ransomware.

Chocolate and Network Security: A Match Made in Heaven

I’ve just finished lunch and something is missing. It was a good lunch too: grilled cheese sandwich and lentil soup (a nod to the chilly, blustery Spring morning outside). I liked my lunch, but now I want a little”¦ I don’t know”¦ a little something. What I’d like, truth be told, is a little bit of chocolate. Maybe a small chunk of Ghirardelli’s mile, or whoa ““ how about a lovely Lindt Lindor truffle? Yes, that would be just the ticket, but alas”¦ there’s no chocolate in the house.

And what, you may ask, has this to do with Security?

Everything. I assure you. Everything.

Let’s say you’re a distributor of fine chocolates, candies, gourmet sauces and other foods for the discerning palette. Let’s say you’re business is expanding by leaps and bounds, and your IT infrastructure is increasingly at risk, as you get hit with various malware events. No one really thinks of the critical role that IT plays in under-girding the success of gourmet food, but as wholesale and retail provider, First Source, knew ““ without a sound and safe infrastructure, they were going to be in trouble. But not only did First Source need an updated security infrastructure to better protect against threats 24×7, they also needed this to happen while improving the speed and quality of its order processing.

As a chocolate craver, let me tell you, I’m so glad First Source put SonicWall Security’s mobile and network security solutions and gourmet food together.

Over a period of 18 months, First Source designed and deployed a company-wide SonicWall next-generation firewall solution “” including firewall appliances at each remote location “” to act as the gatekeepers for the First Source IT infrastructure.

And wouldn’t you know it – the SonicWall solution has not only boosted the company’s security, but having site-to-site SSL VPN access with load balancing and high-speed internet connections has allowed the company to increase efficiency and collaboration too (read what other benefits First Source experienced here >>)

In almost every industry, in almost every location a solid secure infrastructure under girds almost all aspects of our lives. Even my chocolate cravings”

The Future Looks Bright for Mobile Worker Productivity

Managing and securing mobile data is about to get a whole lot easier. Mobile platform providers, historically focused on the consumer, are now investing heavily in new OS features that will seamlessly integrate with mobile management and security solutions and allow businesses to more easily enable mobile access to more data and resources without compromising security.

Historically, IT departments protected corporate networks and data by only allowing trusted devices and users to connect to the network. IT could limit the threat of data loss and malware by controlling and managing PC and laptop and software images and configurations. In the new mobile era, IT has limited control or management over devices. Workers are often independently choosing their smart-phones and tablets as well as the apps and services they use to address business and personal needs.

So, with limited mobile device control and management, how can IT keep company data secure while enabling mobile worker productivity?

The leading mobile platform providers recognize the challenge businesses face and are adding new features to make it easier to secure and manage business apps and data on devices, whether corporate or personally owned. And they’re partnering with third party mobile management and security providers to help give IT control to secure and manage the mobile data workflow. Key mobile platform features enabling mobile for business include:

1. Managed separation of business and personal apps and data

Mobile OS’s are architected to allow data to be easily shared by apps. While this ease-of-use and transparent interaction and sharing between apps is beneficial for personal use, it can be problematic for businesses that want to protect data. For example, many social apps mine contact lists from other apps and invite contacts to join their service. With this, confidential customer contact information stored in a business app could unintentionally be “shared” to a personal social app, leaking customer contact information and potentially damaging a business’s reputation or violating regulatory rules. Another risk, if a rogue app is downloaded to a device, mobile malware or vulnerabilities may be present that can steal data or provide an entry point for a cyber-attack.

To address these issues, the new generation of mobile operating systems is adding features that, with third party mobile management tools, will help better secure business apps and data on mobile devices. IT, with mobile user permission, will be able to more easily deploy and manage trusted mobile apps for business and enforce security policy to protect company data, while personal apps and data will be isolated from business apps, preventing data leakage. To meet mobile user demands for personal app and data privacy, IT will be restricted to only manage business apps and data. With these new built-in OS features, today’s proprietary secure containers that isolate and secure business apps and data on mobile devices, will be less necessary, helping to reduce IT cost and complexity.

2. Managed apps

To further support mobile for business, mobile platform providers are making it easier for app developers to build “managed apps”, apps that can be configured and managed by mobile management tools. For these apps, IT will be able to use third party mobile management tools to configure app level policies that affect the actions an app may take. For example, a managed email app implemented with the new mobile management control protocol could be remotely configured to only allow email and attachments to be viewed from the email app, and disallow copy, cut and print functionality to keep business data secure and encrypted within the app and not allow sharing with other apps.

3. App level VPN

Businesses today often deploy VPNs to securely connect mobile and remote workers with company networks and resources, a necessity to encrypt data in-flight and protect from data theft. However, when a device is used for business and personal use, if the VPN is enabled, personal traffic also uses the corporate VPN which can impact network bandwidth and contaminate backend resources. Ideally, to preserve corporate network bandwidth, only business apps and data should use the corporate VPN.

To address this need, mobile OS, security and management technologies are evolving to allow per app VPN capabilities. With per app VPN, security and management technology may be configured with policies to initiate a VPN whenever a business app launches such that business traffic from the mobile device travels through the VPN while personal traffic does not.

So, with these new mobile management and security capabilities, what should businesses do to accelerate mobile adoption and productivity?

Get ready for the next wave of mobile technology. For information on the management and security solutions you need to help enable mobile workers productivity while protecting from threats, read our eBook, Secure Mobile Access.

Mobile Security Checklist to Minimize Risk

The number of mobile devices in the workplace is exploding and with this, a new frontier for cyber-attack is emerging that poses a significant risk to business. As the great philosopher and strategist SunTze wrote, “Know your enemy and know yourself and you can fight a hundred battles without disaster.”

Threat analysts are finding that malware isn’t just a problem for laptops any more. For example, reports indicate that the CloudAtlas campaign, a sophisticated advanced persistent threat that initially targeted windows machines, has made its way to mobile platforms including Android, Apple IOS and Blackberry systems. Our own SonicWall Security Threat Research Center uncovered the Android counterpart of the CloudAtlas campaign. This malware masquerades itself as an update for the popular messenger app Whatsapp, and in turn, spies on a victim’s device to obtain sensitive data,such as texts, contacts and calendar information, and passes it back to the attacker, creating a huge business risk.

Could you, or one of your employees unknowingly have a mobile device infected with malware harvesting your confidential business data?

Fundamentally, there are two key business risks that you need to protect from as workers go mobile. The first, is theft or loss of mobile data. The second, is mobile devices becoming conduits for malware attacks that affect corporate systems and data. So what are the mobile threats you need to be aware of to protect your business?

Here’s a checklist of threats you need to be prepared to tackle in the mobile worker era:

  1. Lost and stolen devicesNo surprise here. If a device is lost or stolen, and corporate data was stored on the device, there’s a risk of confidential data loss. An even bigger risk, is a lost or stolen device being used to gain access to corporate data and apps on the back end. Significantly more data could be impacted if an unauthorized user with a lost or stolen mobile device gains access to the data center. This is particularly problematic for businesses subject to regulatory compliance.
  2. Mobile malware and vulnerabilitiesAnother concern is rogue apps downloaded to devices containing information-stealing malware, such as the CloudAltas threat discussed above, or vulnerabilities with devices, OS design and 3rd party apps. These threats provide entree for attacks and can lead to data theft and downtime. Again, this is a risk for data on the device, but potentially an even bigger risk if the device becomes a conduit for malware to infect backend data systems and cause data loss or downtime.
  3. Data leakage through 3rd party appsCorporate data and apps co-mingling with personal data and apps on devices can also create risk and lead to corporate data leaking, either intentionally or unintentionally. For example, many social apps mine contact lists from other apps and invite contacts to join their service. With this, confidential customer contact information stored in a business app could unintentionally be “shared” to a personal social app, leaking customer contact information and potentially damaging a business’s reputation or violating regulatory rules.
  4. Insecure Wi-FiLastly, the riskof man-in-the middle attacks. Attackers can snoop data if traffic is sent over unencrypted networks such as public wifi. Data in-flight is likely the pulse of the business. It likely contains fresh, sensitive data, and may even contain data subject to legal or regulatory requirements for confidentiality. If that data is intercepted, it could be damaging to the business. Although the relative quantity of data lost or stolen in case of in-flight traffic interception is likely small, the potential for damage is still there. So, to protect in-flight data from interception, data should be encrypted.

Mobile Security Solution

So, now that we reviewed the top threats, how can you prepare to win the mobile security battle to come? To protect from these threats, the best defense is a good offense.

Secure container and encryption technologies such as Enterprise Mobility Management (EMM) can help isolate and secure business apps and data on mobile devices. This a great start, but company data and networks are still at risk if only on-device data protection is addressed. Security is an end-to-end mobile workflow challenge.

For comprehensive mobile security, in addition to EMM, deploy security and access control technologies in your IT infrastructure that authenticate users and interrogate devices, OSes, mobile apps and validate their integrity. Only grant VPN access to trusted users, devices and business apps to help protect from rogue access and malware attacks. Also deploy, next-gen firewalls to scan mobile traffic entering your network and block malware before it infects corporate systems and data. Next-gen firewalls can also scan mobile traffic entering your network and block malware before it infects corporate systems and data and block access to and from disreputable web applications and sites, adding another layer of protection.

For more information on the security and access solutions you need to enable mobile worker productivity while protecting from threats, read our eBook: SonicWall Secure Mobile Access.