Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
iPhone 5 rumors for the week ending May 18
Cisco's wireless unit shifts emphasis to "mobility"
Comcast ditches flat 250GB bandwidth cap for tiered service approach
Open-source messaging at (nearly) the speed of light
Social media a boon for businesses, but creates security quagmire
Academics propose groundbreaking uses for Watson
With Verizon pushing more into data caps, Sprint touts unlimited option
J*******k: Dirty word disappears from Apple iTunes store
Survey: BYOD sparks enterprise investment in Unified Communication and Collaboration
Privacy advocates fear CISPA
Doctors warned not to use social media with patients
Cisco mobility bundles target BYOD, mobile virtual desktop
iPhone 5 said, again, to have 4-inch display
Ethernet switching gets specialized
'Thelma & Louise,' 'Beetlejuice' star Geena Davis wins major telecom award
/

IPSec's double-edged security

Today's breaking news
Send to a friendFeedback

By John Curtis
Network World, 08/23/99

Many network technologies have held the promise of revolutionizing and replacing existing wares. So it was with IP Security (IPSec), a virtual private network (VPN) security technology with integrated support for shared secret key and digital certificate authentication. IPSec also supports encryption with data encryption standard and Triple-DES. IPSec held the promise of replacing less sophisticated security technologies while still guaranteeing a level of interoperability among different vendors of IPSec products.

It's certainly no secret that IPSec - indeed any network encryption technology - is inherently incompatible with the network features and services that require the correct identification of traffic content. For instance, because IPSec hides source and destination IP addresses and port numbers of the real end stations, it is impossible for Layer 4 switches to forward IPSec traffic to appropriate servers or applications.

A similar problem arises in running IPSec connections across the current generation of carrier-class ATM-based VPNs. Unlike IPSec-based VPNs, today's ATM VPNs offer no encryption or authentication between ATM edge devices, but rather rely upon dedicated circuits across the ATM cloud with carrier- controlled access and authentication. However, assigning appropriate circuits to each traffic stream means identifying the traffic content, a task made virtually impossible by the encryption of the data content within IPSec streams.

Many customers could accept IPSec's incompatibility with Layer 4 switches, and even with carrier VPN services. But few were prepared for the incompatibility of IPSec with some of the leading firewall technologies. More specifically, the best firewall securities - those that rely upon application proxies - require that the firewall interact directly with applications passing through it. Unfortunately, the firewall cannot determine the application content of IPSec traffic, let alone attempt to intercept application commands and data because all IPSec content is encrypted.

Allowing IPSec traffic through a firewall would mean punching a gaping hole in the firewall to allow passage of any traffic that matched only rudimentary frame header information that merely suggested that it was legitimate IPSec traffic. This might weaken overall network security rather than strengthen it.

Instead, the strategy many customers have been forced to implement involves dual parallel security. This plan utilizes a firewall and an IPSec gateway in parallel. Incoming IPSec connections target the gateway, whereas non-IPSec traffic targets the firewall.

There is no question that IPSec exceeds the simple authentication and verification of a firewall, providing vendor- independent encryption. The question customers should ask is, "Should we deploy IPSec with its sophisticated authentication and encryption, or rely upon more straightforward security systems such as firewalls and carrier-based circuit VPNs that are more universally available?" The answer, quite simply, is "Yes." Neither is perfect and complete. Neither will replace the other.

Curtis is director of engineering with The Tolly Group, a strategic consulting and independent testing firm in Manasquan, N.J. Curtis is sitting in for regular columnist Kevin Tolly this week. He may be reached at (732) 528-3300 or www.tolly.com.

RELATED LINKS

Kevin Tolly is president and CEO of The Tolly Group. Reach him via e-mail at ktolly@tolly.com.

More Tolly on Technology columns


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.