Thursday, February 8, 2007

Microsoft's trusted ecosystem vision and its review at Dark Reading...

One of the technologies Bill Gates mentioned as part of Microsoft’s “trust ecosystem” was IPSec. [http://www.microsoft.com/presspass/exec/billg/speeches/2006/02-14RSA06.mspx ]. Tim Wilson at Dark Reading believes that it is an unproven technology ;) and SSL is better. I would like to point out to him that IPSec has been around for a very long time and there are hundreds of good products around. The only reason why SSL became more popular as a VPN method in recent years is because web browsers have it builtin and a lot of applications people were interested in were web based. If Microsoft had provided an easy to use IPSec client in Windows from the beginning it could have been different. As far as core technology is concerned there is both IPSec and SSL use pretty much the same cryptographic algorithms and therefore are equally secure. Since it runs at the network layer IPSec can support almost all applications while SSL is restricted to those that use TCP. While that covers a lot of applications, it does not cover VoIP which uses UDP. In addition IPSec scales well as it does not require the device to terminate TCP. It allows multiple sessions on a single channel resulting in better scalability in terms of the number of concurrent channels a VPN terminating device has to support and the number of key exchanges that need to be done.
Tim claims that IPSec is insecure because it connects the endpoint to the whole network whereas SSL connects it to only a specific application. While there is some truth to this, IPSec VPN devices generally allow policies to be configured that can restrict access to specific applications.
One of the new frontiers in the security war is the internal corporate network. To secure them one of the things that need to be done is to authenticate endpoints connecting to it and enforce policies. This is being done by NAC (pre and post admission) but the authentication aspect is insecure today because in the absence of a cryptographically secured connection, endpoints can spoof their addresses and fool the NAC devices. I believe IPSec holds promise as a standard and proven technology to fix this problem. I am glad that Microsoft is thinking about this and if they integrate IPSec with 802.1x into Windows seamlessly, it will encourage switch vendors to add IPSec termination to switches and secure the corporate LAN.


Add to Technorati Favorites
Add to Technorati Favorites
Add to Technorati Favorites

4 comments:

Mohit said...

Terry Sweeney of Dark Reading pointed out that I
forgot to include the link for the Dark Reading article. It can be found here:
http://www.darkreading.com/document.asp?doc_id=116599&WT.svl=news1_6

Tim Wilson said...

You might want to read the story a bit more closely. First, the opinions expressed came from industry experts, not me personally. Second, I didn't suggest that SSL was better than IPsec, I only noted that many users and other experts have reached this conclusion after testing both. It would be an overgeneralization to say that SSL is always better than IPsec, or vice versa. The point of the story is that Microsoft has come down strongly on the side of IPsec, and that's a bit strange when there are so many SSL VPN users out there. Heck, even Microsoft itself sells an SSL VPN product.

Anonymous said...

Mohit,

I would suggest that you look at 802.1AE MACSec, which looks to solve the problem at the switching layer. By leveraging 802.1X for identity - MACSec looks to provide protection against passive/active data snooping attacks. An older article on NWW provides an overview. 802.1AE was approved June 2006.

http://www.networkworld.com/details/7593.html

Mohit said...

Anonymous,
Thanks for the pointer. Is there any adoption of this standard? Are any switch vendors endorsing it?

Mohit.