Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Tuesday, January 17, 2006

An Inside Look at IPSec in Vista

IPSec has traditionally been used to secure remote access connections.  In the last few years this has been changing, as IPSec moves from the WAN into the LAN to secure internal network traffic against eavesdropping and modification.  The whole thing is pretty complex to set up and manage, and though IPSec management tools were improved in Windows XP, they’re not really very intuitive to use.  Things are going to be better in Windows Vista, at least to a degree.

One big change in Vista is in the TCP/IP networking stack itself.  Vista has a totally revamped Next Generation TCP/IP stack that has a ton of enhancements with regard to performance, scalability, and extensibility.  There’s also a new architecture called Windows Filtering Platform (WFP) that provides APIs for accessing packets at virtually any point in the path as they are processed by the stack.  These changes to the stack affect how IPSec works because of the addition of built-in callout functions that can be used for IPSec communications.

A list of APIs for this feature can be found on MSDN if you’re a developer interesting in building IPSec-aware applications and tools.  Note that these APIs, like any other feature of Vista, are subject to change before RTM.

Another change in Vista is that management of IPSec and Windows Firewall now are tied closely together.  This is accomplished by integrating the firewall filtering functions and IPSec protection settings and managing them using a single snap-in called Windows Firewall with Advanced Security. 

There are also unified command-line tools you can use as well to manage both Windows Firewall and IPSec settings.  In fact, even the Group Policy settings for Windows Firewall and IPSec are now in the same place with Vista and are found under Computer Configuration\Windows Settings\Security Settings\Windows Firewall with Advanced Security.  That means in existing Windows XP and Windows Server 2003 platforms, it’s possible to set up firewall filters that conflict with IPSec policies and prevent network traffic from working the way you intend it to.  With a single console for configuring both Windows Firewall and IPSec settings, there’s less chance for errors like this to occur, which is good since IPSec problems are notoriously difficult to troubleshoot.

Finally, the new console and command-line tools for managing Windows Firewall and IPSec settings are designed to make it a heck of a lot easier to configure IPSec policies in the first place.

The question is whether these enhancements on the client side will work with current Windows servers, or whether we’ll have to wait for Longhorn Server to see these benefits fully realized. 

First, a Microsoft PressPass news release concerning the December 2005 Community Technology Preview (CTP) of Windows Vista says that the new integrated firewall/IPSec console “centralizes inbound and outbound traffic filtering along with IPSec server and domain isolation settings in the user interface.”  And Vista is designed to help make domain isolation easier to implement—though Longhorn Server will probably be required for domain isolation to be truly simple to configure.

And second, Vista supports Network Access Protection (NAP), a new security technology that extends the Network Access Quarantine Control feature of Windows Server 2003 to help protect Active Directory-based networks from infected, misconfigured, or otherwise unhealthy client computers.  Vista will change some of that, and Longhorn Server will bring this elusive goal even closer.

Meanwhile, the enhancements to TCP/IP and the IPSec management improvements found in Vista will make IPSec easier to use in the enterprise and likely lead to more organizations adopting it as an inside network protection technology.

Posted on 01/17