Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


06:25 AM

Tech Insight: Microsoft's IPSec

Windows' built-in security capabilities offer endpoint alternative to NAP/NAC

Microsoft’s support of the IP Security (IPSec) standard was enhanced with the release of Windows Vista this year, and interest in the technology will likely grow with the introduction of Windows 2008. For smaller organizations, IPSec could prove to be a cheap alternative to other network access control (NAC) technologies, or a stepping stone to a full implementation of Microsoft's Network Access Protection (NAP) in large enterprises. Either way, it’s time for organizations to take a closer look at IPSec’s capabilities.

Since Windows 2000, IPSec has been included in every Microsoft Windows desktop and server operating system. As a staple of the operating system, it’s surprising that more companies don't take advantage of the technology, but many IT professionals still labor under the notion that IPSec is a VPN technology only used for remote connectivity.

"The knee-jerk reaction is that IPSec is used for VPN," said Microsoft’s Ian Hameroff in a blog. "We want to unlock the other value [in IPSec]." While IPSec certainly can be used in VPNs, it can also be used for basic packet filtering, or blocking solely based on source or destination IP, source or destination port and network protocol.

The real power of IPSec, however, is in its ability to protect managed Windows machines from non-managed machines by requiring authentication before network communications can occur between two hosts. This authentication is based on Kerberos, certificates, or pre-shared keys, and optionally, encryption can be enforced to secure communications between endpoints.

Microsoft calls this method of protecting managed endpoints and servers from un-managed machines "domain isolation" or "server isolation." The company has produced a significant amount of documentation on what it is and how to implement it. In 2004, Microsoft deployed domain isolation using IPSec within its own enterprise network, protecting over 200,000 systems.

There is a clear need for this sort of endpoint protection. In a survey published earlier this month, the Ponemon Institute and Deloitte & Touche found that 85 percent of enterprises have suffered at least one reportable security breach in the last 12 months, and a staggering 63 percent said they suffered between six and 20. (See Study: Breaches of Personal Data Now Prevalent in Enterprises.)

IPSec could prevent some of these breaches by simply stopping rogue machines from communicating to the managed Windows machines. Even malicious attacks that attempt to wrest remote administrative access from vulnerable Windows services would be prevented, because the connection wouldn’t be allowed without the attacking machine being part of the domain and authenticating first.

If your company is one of the many that are planning to implement NAC, IPSec should be an important consideration in your technology selection. Unlike other NAC solutions, Microsoft's NAP can quarantine hosts using IPSec in addition to DHCP, VPN, and 802.1x enforcement.

With NAP and IPSec, if a Windows endpoint does not meet the required health checks (antivirus installed and updated, latest Microsoft patches applied, etc.), it would only be allowed to talk with the NAP servers to begin remediation. Once the endpoint has passed the health checks, a health certificate server provides a certificate proving that the host is in good health. IPSec policies would then allow the "healthy" endpoint to communicate to other managed hosts.

So if IPSec is so great, why isn't it more widely used? One answer is its history. Besides being commonly perceived as a VPN-only technology, Microsoft's IPSec has been difficult to configure in the past. In fact, it previously, had to be configured independently of the Windows Firewall, which sometimes led to contradicting policies.

Recognizing these issues, Microsoft released the Simple Policy Update for IPSec in 2006 for Windows XP and Server 2003, and the company has combined the configuration of IPSec and Windows Firewall in Vista and Server 2008. Is it too late to change users' minds about IPSec? Only time will tell.

Windows-based IPSec also may be perceived as a Microsoft-centric solution that doesn’t extend well to other platforms, such as Linux and Mac OS X. In the case of NAP, that won’t be true for long -- Microsoft has more than 100 NAP partners, and several of them are working on NAP clients for Linux and Mac. If you want some examples, take a closer look at UNETsystem Co. Ltd. and Avenda Systems Inc.

Last May, Microsoft’s Open Source Software (OSS) Lab completed IPsec interoperability testing between Linux and Vista, which seems promising. In the test, the lab successfully established authenticated and encrypted communications between Linux and Vista endpoints using certificates and pre-shared keys. This testing could eventually make it possible for Linux systems to coexist in an IPSec domain or server isolation environment with a Windows host. So far, however, we haven't seen any similar testing with MacOS.

If your IT shop has looked at Microsoft's implementation of IPSec in the past and dismissed it, it’s time to take another look. The technology has been improved. The price is right -- it's already included in Windows at no extra charge -- and the added security of domain and server isolation is protection that could prevent unnecessary data breaches by rogue machines. And it's a great start toward NAC, which is already supported by Vista and will be included in Server 2008 and Service Pack 3 for Windows XP.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

  • Deloitte & Touche USA LLP
  • Microsoft Corp. (Nasdaq: MSFT)
  • Ponemon Institute LLC

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Oldest First  |  Newest First  |  Threaded View
    7 Old IT Things Every New InfoSec Pro Should Know
    Joan Goodchild, Staff Editor,  4/20/2021
    Cloud-Native Businesses Struggle With Security
    Robert Lemos, Contributing Writer,  5/6/2021
    Defending Against Web Scraping Attacks
    Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    2021 Top Enterprise IT Trends
    We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
    Flash Poll
    How Enterprises are Developing Secure Applications
    How Enterprises are Developing Secure Applications
    Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2021-05-13
    Piwigo 11.4.0 allows admin/user_list_backend.php order[0][dir] SQL Injection.
    PUBLISHED: 2021-05-13
    The Flask-Caching extension through 1.10.1 for Flask relies on Pickle for serialization, which may lead to remote code execution or local privilege escalation. If an attacker gains access to cache storage (e.g., filesystem, Memcached, Redis, etc.), they can construct a crafted payload, poison the ca...
    PUBLISHED: 2021-05-13
    Bitcoin Core 0.12.0 through 0.21.1 does not properly implement the replacement policy specified in BIP125, which makes it easier for attackers to trigger a loss of funds, or a denial of service attack against downstream projects such as Lightning network nodes. An unconfirmed child transaction with ...
    PUBLISHED: 2021-05-13
    The HTMLSanitizer class in html-sanitizer.ts in all released versions of the Aurelia framework 1.x repository is vulnerable to XSS. The sanitizer only attempts to filter SCRIPT elements, which makes it feasible for remote attackers to conduct XSS attacks via (for example) JavaScript code in an attri...
    PUBLISHED: 2021-05-13
    An information disclosure vulnerability in ILIAS before 5.3.19, 5.4.12 and 6.0 allows remote authenticated attackers to get the upload data path via a workspace upload.