The Implicit Trust Problem
Traditional network management operates on a dangerous assumption: if you're on the network, you're trusted. A VPN account grants access to the management VLAN. Once inside, you can reach every router, every switch, every management interface. This is implicit trust — and it is the root cause of most lateral movement attacks.
NIST Special Publication 800-207 defines zero trust as: "Never trust, always verify — regardless of network location." Every access request must be authenticated, authorized, and continuously validated.
Reference: NIST SP 800-207, Zero Trust Architecture, August 2020. nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-207.pdf
Attack Surface Comparison
Consider a network with 50 MikroTik routers managed by a team of 4 engineers:
| Attack Vector | Traditional VPN | Wantastic Zero-Trust |
|---|---|---|
| Exposed management port | VPN port (UDP/TCP) | None |
| Credential breach scope | Full VPN subnet (50 devices) | Single compromised session |
| Lateral movement | Unrestricted within subnet | Cryptographically impossible |
| Brute-force target | VPN gateway login | No public endpoint |
| Revocation time | Minutes (rekey required) | Immediate (token invalidation) |
| Audit trail | Firewall logs (best effort) | Per-session cryptographic record |
| Bot scanner detection | ~5 minutes | Never (no public surface) |
Concurrent Sessions: How Multitasking Works
Four engineers can manage the same router simultaneously, each with their own isolated Winbox session.
Under shared-credentials VPN:
- Engineers A and B connect with the same admin password
- Either can unknowingly overwrite the other's configuration
- Audit logs cannot distinguish who made a change
Under Wantastic's zero-trust model:
Engineer A ──[token:alice@corp]──► Device Endpoint ──► Router
Engineer B ──[token:bob@corp]───► Device Endpoint ──► Router
Engineer C ──[token:carol@corp]──► Device Endpoint ──► Router
Changes are attributed in the audit log to the individual. Sessions are cryptographically isolated — Alice cannot intercept Bob's session traffic even when both are connected to the same device.
Post-Quantum Encryption
Standard WireGuard uses Curve25519 for key exchange and ChaCha20-Poly1305 for symmetric encryption. These are secure against classical computers, but a quantum computer running Shor's algorithm could break Curve25519.
NIST finalized its first post-quantum cryptography standards in 2024 (FIPS 203, 204, 205), based on lattice and hash-based constructions.
Reference: NIST, Post-Quantum Cryptography Standardization, 2024. FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), FIPS 205 (SLH-DSA). csrc.nist.gov/projects/post-quantum-cryptography
ChaCha20-Poly1305 is quantum-resistant for symmetric encryption — only the key exchange requires upgrading. Wantastic's hybrid approach overlays a post-quantum key encapsulation on top of the WireGuard handshake, providing "harvest now, decrypt later" protection.
Role-Based Access Control
| Role | Device Access | Can Provision | Can Delete | API |
|---|---|---|---|---|
| Viewer | Read-only status | No | No | Read |
| Engineer | Winbox + WebSSH | Own devices | No | Read/Write |
| Admin | Full fleet | All devices | Yes | Full |
| Owner | Billing + API keys | All devices | Yes | Full + Billing |
Roles are enforced cryptographically at the overlay layer. An engineer's tunnel token cannot establish a connection to a device outside their permission scope — the overlay rejects the handshake before any device credential is checked.
Incident Response: Rapid Revocation
VPN credential revocation: log in to admin panel → find user → revoke certificate → wait for CRL propagation (minutes).
With Wantastic: one click invalidates all active tokens for that user. Active sessions disconnect within seconds. No CRL, no propagation delay.
Compliance Alignment
| Framework | Requirement | Wantastic Feature |
|---|---|---|
| NIST SP 800-207 | Verify every access request | Per-session token verification |
| ISO 27001:2022 | Privileged access management | RBAC + session isolation |
| SOC 2 Type II | Access logging and audit trail | Per-session cryptographic log |
| PCI-DSS v4.0 | MFA for all privileged access | SSO + MFA enforcement |
| EU NIS2 | Network security controls | Encrypted overlay + zero exposure |