Security Portal: IPSec - We've Got a Ways to Go (Part I)Jul 19, 2000, 07:07 (0 Talkback[s])
(Other stories by Kurt Seifried)
"IPSec, supposedly the next great thing that will fix most (if not all) our network security problems. No longer will attackers be able to sniff network traffic, hijack connections or spoof servers. Hijacking domain names will be impossible with DNSSEC, and redirecting people to fake Websites will be a thing of the past. Or will it? There are currently a lot of problems and shortcomings with IPSec that prevent the majority of network traffic from being encrypted."
"Right now IPSec is being deployed primarily in two environments. The first is gateway to gateway, behind which are normal IPv4 LANs moving unencrypted data around. In order to connect them securely over the Internet, IPSec gateways are deployed to encrypt traffic going through them. This is very useful for connecting branch offices together, and in other similar situations."
"Alternatively, since LANs require a higher degree of security, IPSec is deployed to all the desktops and servers in question, resulting in all LAN traffic (interesting stuff like file and print transfers, authentication sessions and so on) being strongly encrypted. If an attacker breaks into this LAN they will not be able to sniff for passwords or spoof machines, as all the IP traffic is encrypted and authenticated."
"Both of these methods are, generally speaking, very time- and effort-intensive. You need to deploy IPSec software to the gateways in question, and then do a lot of configuration, gateway to gateway connection, subnet(s) to subnet(s) through the gateway connections, and so on. If you have five sites with two subnets behind each gateway, and you want a full mesh, you are going to need to configure many IPSec tunnels (in some cases, almost 100 connections)."