Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:25 AM

Tech Insight: Microsoft's IPSec

Windows' built-in security capabilities offer endpoint alternative to NAP/NAC

Microsoft’s support of the IP Security (IPSec) standard was enhanced with the release of Windows Vista this year, and interest in the technology will likely grow with the introduction of Windows 2008. For smaller organizations, IPSec could prove to be a cheap alternative to other network access control (NAC) technologies, or a stepping stone to a full implementation of Microsoft's Network Access Protection (NAP) in large enterprises. Either way, it’s time for organizations to take a closer look at IPSec’s capabilities.

Since Windows 2000, IPSec has been included in every Microsoft Windows desktop and server operating system. As a staple of the operating system, it’s surprising that more companies don't take advantage of the technology, but many IT professionals still labor under the notion that IPSec is a VPN technology only used for remote connectivity.

"The knee-jerk reaction is that IPSec is used for VPN," said Microsoft’s Ian Hameroff in a blog. "We want to unlock the other value [in IPSec]." While IPSec certainly can be used in VPNs, it can also be used for basic packet filtering, or blocking solely based on source or destination IP, source or destination port and network protocol.

The real power of IPSec, however, is in its ability to protect managed Windows machines from non-managed machines by requiring authentication before network communications can occur between two hosts. This authentication is based on Kerberos, certificates, or pre-shared keys, and optionally, encryption can be enforced to secure communications between endpoints.

Microsoft calls this method of protecting managed endpoints and servers from un-managed machines "domain isolation" or "server isolation." The company has produced a significant amount of documentation on what it is and how to implement it. In 2004, Microsoft deployed domain isolation using IPSec within its own enterprise network, protecting over 200,000 systems.

There is a clear need for this sort of endpoint protection. In a survey published earlier this month, the Ponemon Institute and Deloitte & Touche found that 85 percent of enterprises have suffered at least one reportable security breach in the last 12 months, and a staggering 63 percent said they suffered between six and 20. (See Study: Breaches of Personal Data Now Prevalent in Enterprises.)

IPSec could prevent some of these breaches by simply stopping rogue machines from communicating to the managed Windows machines. Even malicious attacks that attempt to wrest remote administrative access from vulnerable Windows services would be prevented, because the connection wouldn’t be allowed without the attacking machine being part of the domain and authenticating first.

If your company is one of the many that are planning to implement NAC, IPSec should be an important consideration in your technology selection. Unlike other NAC solutions, Microsoft's NAP can quarantine hosts using IPSec in addition to DHCP, VPN, and 802.1x enforcement.

With NAP and IPSec, if a Windows endpoint does not meet the required health checks (antivirus installed and updated, latest Microsoft patches applied, etc.), it would only be allowed to talk with the NAP servers to begin remediation. Once the endpoint has passed the health checks, a health certificate server provides a certificate proving that the host is in good health. IPSec policies would then allow the "healthy" endpoint to communicate to other managed hosts.

So if IPSec is so great, why isn't it more widely used? One answer is its history. Besides being commonly perceived as a VPN-only technology, Microsoft's IPSec has been difficult to configure in the past. In fact, it previously, had to be configured independently of the Windows Firewall, which sometimes led to contradicting policies.

Recognizing these issues, Microsoft released the Simple Policy Update for IPSec in 2006 for Windows XP and Server 2003, and the company has combined the configuration of IPSec and Windows Firewall in Vista and Server 2008. Is it too late to change users' minds about IPSec? Only time will tell.

Windows-based IPSec also may be perceived as a Microsoft-centric solution that doesn’t extend well to other platforms, such as Linux and Mac OS X. In the case of NAP, that won’t be true for long -- Microsoft has more than 100 NAP partners, and several of them are working on NAP clients for Linux and Mac. If you want some examples, take a closer look at UNETsystem Co. Ltd. and Avenda Systems Inc.

Last May, Microsoft’s Open Source Software (OSS) Lab completed IPsec interoperability testing between Linux and Vista, which seems promising. In the test, the lab successfully established authenticated and encrypted communications between Linux and Vista endpoints using certificates and pre-shared keys. This testing could eventually make it possible for Linux systems to coexist in an IPSec domain or server isolation environment with a Windows host. So far, however, we haven't seen any similar testing with MacOS.

If your IT shop has looked at Microsoft's implementation of IPSec in the past and dismissed it, it’s time to take another look. The technology has been improved. The price is right -- it's already included in Windows at no extra charge -- and the added security of domain and server isolation is protection that could prevent unnecessary data breaches by rogue machines. And it's a great start toward NAC, which is already supported by Vista and will be included in Server 2008 and Service Pack 3 for Windows XP.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Deloitte & Touche USA LLP
  • Microsoft Corp. (Nasdaq: MSFT)
  • Ponemon Institute LLC

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: "I feel safe, but I can't understand a word he's saying."
    Current Issue
    6 Emerging Cyber Threats That Enterprises Face in 2020
    This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
    Flash Poll
    State of Cybersecurity Incident Response
    State of Cybersecurity Incident Response
    Data breaches and regulations have forced organizations to pay closer attention to the security incident response function. However, security leaders may be overestimating their ability to detect and respond to security incidents. Read this report to find out more.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-03-30
    A webserver component in Paessler PRTG Network Monitor 19.2.50 to PRTG 20.1.56 allows unauthenticated remote command execution via a crafted POST request or the what parameter of the screenshot function in the Contact Support form.
    PUBLISHED: 2020-03-30
    An issue was discovered in USC iLab cereal through 1.3.0. Serialization of an (initialized) C/C++ long double variable into a BinaryArchive or PortableBinaryArchive leaks several bytes of stack or heap memory, from which sensitive information (such as memory layout or private keys) can be gleaned if...
    PUBLISHED: 2020-03-30
    An issue was discovered in USC iLab cereal through 1.3.0. It employs caching of std::shared_ptr values, using the raw pointer address as a unique identifier. This becomes problematic if an std::shared_ptr variable goes out of scope and is freed, and a new std::shared_ptr is allocated at the same add...
    PUBLISHED: 2020-03-30
    An issue was discovered in Responsive Filemanager through 9.14.0. In the dialog.php page, the session variable $_SESSION['RF']["view_type"] wasn't sanitized if it was already set. This made stored XSS possible if one opens ajax_calls.php and uses the "view" action and places a pa...
    PUBLISHED: 2020-03-30
    Next.js versions before 9.3.2 have a directory traversal vulnerability. Attackers could craft special requests to access files in the dist directory (.next). This does not affect files outside of the dist directory (.next). In general, the dist directory only holds build assets unless your applicati...