Tulloch: What difficulties do network administrators face when they implement IPsec on their internal networks like this?
Dixon: Often there is some confusion related to their experience with IPsec used for router-to-router tunneling or VPN remote access. The client-server scenarios I've referred to use IPsec transport mode, not tunnel mode. In the Windows implementation, IPsec transport mode doesn't require static IPs or Windows Certificate Authority certificates. It can be used with DHCP-addressed clients and servers, and with many third-party PKI vendors. I guess the most common technical barrier I see is the conflict created by having a third-party IPsec VPN client installed which disables the native Windows IPsec capabilities. The second most common technical issue is that large internal networks often have some kind of internal NAT. However, Windows IPsec supports UDP encapsulation for NAT traversal. So clients behind an internal NAT can use IPsec transport mode to hosts on the rest of the internal network. The most common policy barrier is the requirement to inspect traffic. You can configure IPsec to provide authentication only. Or you can terminate IPsec at the inspection point, create a trusted proxy for example.
I said earlier IPsec is "fairly easy" to use because like any technology there is a learning curve to overcome. Detailed knowledge about the capabilities of the implementation is required to design IPsec policies that work for a particular environment.
To help address all of the planning and impact considerations, I co-authored with Microsoft a very detailed planning and troubleshooting guide called Server and Domain Isolation Using IPsec. I was really happy to publish this guide so we could make it easier to design solutions. My company now is focused almost exclusively on helping deploy this and other scenarios using IPsec for IPv4 and IPv6, and on training IT services companies to be able to do this.
Tulloch: Can you point network administrators to some good resources for deploying IPSec to secure internal networks?
Dixon: It's probably best to rely on each vendor's documentation about their IPsec implementation. While at Microsoft, I helped author most of the Windows IPsec guides, online help, resource kit chapters, white papers, etc. The architecture and design white papers are the place to start for envisioning how IPsec might be used to solve your network security issues. The most in-depth guide we wrote about the technology was the Windows Server 2003 IPsec Technical Reference. The best troubleshooting guide is Chapter 7 of the Server and Domain Isolation Guide. (See http://www.microsoft.com/ipsec and http://www.microsoft.com/sdisolation.)
Tulloch: Finally, any thoughts concerning IPv6 and IPsec enhancements in the upcoming Windows Vista platform?
Dixon: I'm very happy with the integration of Windows Firewall, IPsec Policy, and full IPsec for IPv6 in Windows Vista. It is important to understand that you can simulate IPv6 security scenarios with IPsec for IPv4 now. Windows Vista will be the first release to make available IPsec options for IPv6 sockets so that applications can integrate IPsec protection for their traffic. It pains me to know that developers will probably wait several years until Windows Vista becomes as common as Windows 2000 clients are now.
I think the Network Access Protection (NAP) capabilities of Windows Vista and Longhorn Server are extremely interesting. NAP can do client health checks not only during the 802.1x and DHCP authentication, but also during IPsec IKE authentication. Thus a Server Isolation scenario today will be able to provide even stronger assurance and authorization using IPsec-based NAP policies.
There is one problem still that is really important to solve so that applications will have end-to-end IPv6 connectivity: the barrier of the host firewall. Host firewalls now are extremely common. So how would a peer-to-peer IPv6 application connect to another peer? I think the answer could be that the application uses IPsec socket options to authenticate and the firewall can then authorize that inbound connection. I've just finished a paper to describe this if anyone is interested at V6 Security, and the paper is titled "Unblocking IPv6 Applications: Safely Connecting Through Host and Edge Firewalls with IPsec."
Tulloch: Thanks for your time, William, and for being willing to share your knowledge with O'Reilly readers.
Return to the Windows DevCenter.