Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Analytics

12/21/2007
06:25 AM
50%
50%

Tech Insight: Microsoft's IPSec

Windows' built-in security capabilities offer endpoint alternative to NAP/NAC

Microsoft’s support of the IP Security (IPSec) standard was enhanced with the release of Windows Vista this year, and interest in the technology will likely grow with the introduction of Windows 2008. For smaller organizations, IPSec could prove to be a cheap alternative to other network access control (NAC) technologies, or a stepping stone to a full implementation of Microsoft's Network Access Protection (NAP) in large enterprises. Either way, it’s time for organizations to take a closer look at IPSec’s capabilities.

Since Windows 2000, IPSec has been included in every Microsoft Windows desktop and server operating system. As a staple of the operating system, it’s surprising that more companies don't take advantage of the technology, but many IT professionals still labor under the notion that IPSec is a VPN technology only used for remote connectivity.

"The knee-jerk reaction is that IPSec is used for VPN," said Microsoft’s Ian Hameroff in a blog. "We want to unlock the other value [in IPSec]." While IPSec certainly can be used in VPNs, it can also be used for basic packet filtering, or blocking solely based on source or destination IP, source or destination port and network protocol.

The real power of IPSec, however, is in its ability to protect managed Windows machines from non-managed machines by requiring authentication before network communications can occur between two hosts. This authentication is based on Kerberos, certificates, or pre-shared keys, and optionally, encryption can be enforced to secure communications between endpoints.

Microsoft calls this method of protecting managed endpoints and servers from un-managed machines "domain isolation" or "server isolation." The company has produced a significant amount of documentation on what it is and how to implement it. In 2004, Microsoft deployed domain isolation using IPSec within its own enterprise network, protecting over 200,000 systems.

There is a clear need for this sort of endpoint protection. In a survey published earlier this month, the Ponemon Institute and Deloitte & Touche found that 85 percent of enterprises have suffered at least one reportable security breach in the last 12 months, and a staggering 63 percent said they suffered between six and 20. (See Study: Breaches of Personal Data Now Prevalent in Enterprises.)

IPSec could prevent some of these breaches by simply stopping rogue machines from communicating to the managed Windows machines. Even malicious attacks that attempt to wrest remote administrative access from vulnerable Windows services would be prevented, because the connection wouldn’t be allowed without the attacking machine being part of the domain and authenticating first.

If your company is one of the many that are planning to implement NAC, IPSec should be an important consideration in your technology selection. Unlike other NAC solutions, Microsoft's NAP can quarantine hosts using IPSec in addition to DHCP, VPN, and 802.1x enforcement.

With NAP and IPSec, if a Windows endpoint does not meet the required health checks (antivirus installed and updated, latest Microsoft patches applied, etc.), it would only be allowed to talk with the NAP servers to begin remediation. Once the endpoint has passed the health checks, a health certificate server provides a certificate proving that the host is in good health. IPSec policies would then allow the "healthy" endpoint to communicate to other managed hosts.

So if IPSec is so great, why isn't it more widely used? One answer is its history. Besides being commonly perceived as a VPN-only technology, Microsoft's IPSec has been difficult to configure in the past. In fact, it previously, had to be configured independently of the Windows Firewall, which sometimes led to contradicting policies.

Recognizing these issues, Microsoft released the Simple Policy Update for IPSec in 2006 for Windows XP and Server 2003, and the company has combined the configuration of IPSec and Windows Firewall in Vista and Server 2008. Is it too late to change users' minds about IPSec? Only time will tell.

Windows-based IPSec also may be perceived as a Microsoft-centric solution that doesn’t extend well to other platforms, such as Linux and Mac OS X. In the case of NAP, that won’t be true for long -- Microsoft has more than 100 NAP partners, and several of them are working on NAP clients for Linux and Mac. If you want some examples, take a closer look at UNETsystem Co. Ltd. and Avenda Systems Inc.

Last May, Microsoft’s Open Source Software (OSS) Lab completed IPsec interoperability testing between Linux and Vista, which seems promising. In the test, the lab successfully established authenticated and encrypted communications between Linux and Vista endpoints using certificates and pre-shared keys. This testing could eventually make it possible for Linux systems to coexist in an IPSec domain or server isolation environment with a Windows host. So far, however, we haven't seen any similar testing with MacOS.

If your IT shop has looked at Microsoft's implementation of IPSec in the past and dismissed it, it’s time to take another look. The technology has been improved. The price is right -- it's already included in Windows at no extra charge -- and the added security of domain and server isolation is protection that could prevent unnecessary data breaches by rogue machines. And it's a great start toward NAC, which is already supported by Vista and will be included in Server 2008 and Service Pack 3 for Windows XP.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Deloitte & Touche USA LLP
  • Microsoft Corp. (Nasdaq: MSFT)
  • Ponemon Institute LLC

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    A Realistic Threat Model for the Masses
    Lysa Myers, Security Researcher, ESET,  10/9/2019
    USB Drive Security Still Lags
    Dark Reading Staff 10/9/2019
    Virginia a Hot Spot For Cybersecurity Jobs
    Jai Vijayan, Contributing Writer,  10/9/2019
    Register for Dark Reading Newsletters
    White Papers
    Video
    Cartoon Contest
    Current Issue
    7 Threats & Disruptive Forces Changing the Face of Cybersecurity
    This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
    Flash Poll
    2019 Online Malware and Threats
    2019 Online Malware and Threats
    As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    CVE-2019-17612
    PUBLISHED: 2019-10-15
    An issue was discovered in 74CMS v5.2.8. There is a SQL Injection generated by the _list method in the Common/Controller/BackendController.class.php file via the index.php?m=Admin&c=Ad&a=category sort parameter.
    CVE-2019-17613
    PUBLISHED: 2019-10-15
    qibosoft 7 allows remote code execution because do/jf.php makes eval calls. The attacker can use the Point Introduction Management feature to supply PHP code to be evaluated. Alternatively, the attacker can access admin/index.php?lfj=jfadmin&action=addjf via CSRF, as demonstrated by a payload in...
    CVE-2019-17395
    PUBLISHED: 2019-10-15
    In the Rapid Gator application 0.7.1 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.
    CVE-2019-17602
    PUBLISHED: 2019-10-15
    An issue was discovered in Zoho ManageEngine OpManager before 12.4 build 124089. The OPMDeviceDetailsServlet servlet is prone to SQL injection. Depending on the configuration, this vulnerability could be exploited unauthenticated or authenticated.
    CVE-2019-17394
    PUBLISHED: 2019-10-15
    In the Seesaw Parent and Family application 6.2.5 for Android, the username and password are stored in the log during authentication, and may be available to attackers via logcat.