One of the technologies Bill Gates mentioned as part of Microsoft’s “trust ecosystem” was IPSec. [http://www.microsoft.com/presspass/exec/billg/speeches/2006/02-14RSA06.mspx ]. Tim Wilson at Dark Reading believes that it is an unproven technology ;) and SSL is better. I would like to point out to him that IPSec has been around for a very long time and there are hundreds of good products around. The only reason why SSL became more popular as a VPN method in recent years is because web browsers have it builtin and a lot of applications people were interested in were web based. If Microsoft had provided an easy to use IPSec client in Windows from the beginning it could have been different. As far as core technology is concerned there is both IPSec and SSL use pretty much the same cryptographic algorithms and therefore are equally secure. Since it runs at the network layer IPSec can support almost all applications while SSL is restricted to those that use TCP. While that covers a lot of applications, it does not cover VoIP which uses UDP. In addition IPSec scales well as it does not require the device to terminate TCP. It allows multiple sessions on a single channel resulting in better scalability in terms of the number of concurrent channels a VPN terminating device has to support and the number of key exchanges that need to be done.
Tim claims that IPSec is insecure because it connects the endpoint to the whole network whereas SSL connects it to only a specific application. While there is some truth to this, IPSec VPN devices generally allow policies to be configured that can restrict access to specific applications.
One of the new frontiers in the security war is the internal corporate network. To secure them one of the things that need to be done is to authenticate endpoints connecting to it and enforce policies. This is being done by NAC (pre and post admission) but the authentication aspect is insecure today because in the absence of a cryptographically secured connection, endpoints can spoof their addresses and fool the NAC devices. I believe IPSec holds promise as a standard and proven technology to fix this problem. I am glad that Microsoft is thinking about this and if they integrate IPSec with 802.1x into Windows seamlessly, it will encourage switch vendors to add IPSec termination to switches and secure the corporate LAN.
Add to Technorati Favorites