“IPSec, supposedly the next great thing that will fix most
(if not all) our network security problems. No longer will
attackers be able to sniff network traffic, hijack connections or
spoof servers. Hijacking domain names will be impossible with
DNSSEC, and redirecting people to fake Websites will be a thing of
the past. Or will it? There are currently a lot of problems
and shortcomings with IPSec that prevent the majority of network
traffic from being encrypted.”
“Right now IPSec is being deployed primarily in two
environments. The first is gateway to gateway, behind which are
normal IPv4 LANs moving unencrypted data around. In order to
connect them securely over the Internet, IPSec gateways are
deployed to encrypt traffic going through them. This is very useful
for connecting branch offices together, and in other similar
situations.”
“Alternatively, since LANs require a higher degree of security,
IPSec is deployed to all the desktops and servers in question,
resulting in all LAN traffic (interesting stuff like file and print
transfers, authentication sessions and so on) being strongly
encrypted. If an attacker breaks into this LAN they will not be
able to sniff for passwords or spoof machines, as all the IP
traffic is encrypted and authenticated.”
“Both of these methods are, generally speaking, very time- and
effort-intensive. You need to deploy IPSec software to the gateways
in question, and then do a lot of configuration, gateway to gateway
connection, subnet(s) to subnet(s) through the gateway connections,
and so on. If you have five sites with two subnets behind each
gateway, and you want a full mesh, you are going to need to
configure many IPSec tunnels (in some cases, almost 100
connections).”