1
17 Infosecurity Today September/October 2005 i c s a l a b s IPSec bake off in San José Mark Zimmerman, Program Manager, ICSA Labs T his technology was originally specced in the mid to late 1990s and imple- mented early in the automotive industry. It is now coming out with a new up- dated revision. Foremost of the capabili- ties in this new technology is the Internet Key Exchange Version 2, or IKEv2, which allows a VPN device to create secure encrypted tunnels that are able to transport information across non- secure data paths, while keeping the content safe from prying eyes. This technology became a boon in the late 1990s for any organization with geo- graphically separated offices needing to link their computer networks, and was an affordable alternative to the premium price of leased lines.With an increased focus on identity theft worldwide, the drive to assure data integrity keeps this technology in the procurement cycles of many corporations. Needless complication It has been long said that until any infor- mation security technology becomes seamless to the user it will not reach its full market potential.More specifically, current IPsec technology has long been criticized as being gratuitously compli- cated. It is very difficult to implement disparate vendor VPN products. Corporations dealing with mergers and acquisitions found it difficult to in- corporate multiple vendor solutions.And so, the Internet Engineering Task Force (IETF) took up the task of remedying these issues, and has vetted 17 revisions of technical drafts that are in the final stages of review before becoming a Technical Standard. The bake-off In an effort to avoid the teething pains experienced with the first go-around of IPsec VPN products, ICSA Labs is hosting multiple IPsec VPN Interoperability Workshops where vendors can bring their IKEv2 based beta products out off of their R&D benches and test them against peers. ICSA Labs started interoperability test- ing in 1998 and has conducted many thousands of interoperability certifica- tion tests.The VPN Interoperability Workshops have become a tool for ICSA Labs to use in providing solution imple- menters with an in-depth knowledge of the virtues of IPsec technology The first such event was held in February of 2005 in Silicon Valley — in San Jose, California. Many of the vendors just unplugged their products from their development labs and drove down the 101 to an itinerant ICSA Labs IPsec test lab, where they were able to set up and test functionality and interoperability against their competitors’ products for a week.Twenty four hour security was set up at the event to avoid any instances of industrial espionage; after all, the prod- ucts resting on cheap folding tables in a Hotel Ballroom represented millions of dollars in R&D spending. Collaboration Some products were in effect ready to ship to the customer while others were clearly in the earlier stages of product development and not ready for prime time.All who attended benefited greatly from the experience of being able to in- teract, communicate, and discuss their products and the new underlying tech- nology.In fact it was so much of a suc- cess that planning for the next work- shop began immediately and is sched- uled to be held in Toronto Canada the week of 19 September 2005. It was de- cided that the workshop would take place outside of the United States to as- sist international vendors with travel re- strictions. Tests for the workshops are broken up into three sets — the first dealing with basic functionality, the second with se- cure tunnel maintenance, and the third dealing with extended functions, such as authentication using digital certificates and the intricacies of communicating be- hind devices serving as network address translators or NAT devices. In the first workshop most vendors concentrated on and were successful within the first test set, however, much progress has been made throughout the summer and will yield more comprehen- sive test results in the area of re-keying and the use of extended functions. For information regarding the Toronto IPSec bakeoff on 19 September 2005, see https://www.icsalabs.com/icsa/docs/html /communities/ipsec/bakeoff/Registration _2.html. The world of IPsec Virtual Private Networks (VPNs) has come to a crossroads. Hundred of millions of dollars of R&D in a hotel ballroom

IPSec bake off in San José

Embed Size (px)

Citation preview

Page 1: IPSec bake off in San José

17In

fosecu

rity Tod

aySeptem

ber/October 2005

ic

sa

l

ab

s

IPSec bake off in San José Mark Zimmerman, Program Manager, ICSA Labs

This technology was originally speccedin the mid to late 1990s and imple-

mented early in the automotive industry.

It is now coming out with a new up-dated revision. Foremost of the capabili-ties in this new technology is theInternet Key Exchange Version 2, orIKEv2, which allows a VPN device tocreate secure encrypted tunnels that areable to transport information across non-secure data paths, while keeping thecontent safe from prying eyes.

This technology became a boon in thelate 1990s for any organization with geo-graphically separated offices needing tolink their computer networks, and wasan affordable alternative to the premiumprice of leased lines.With an increasedfocus on identity theft worldwide, thedrive to assure data integrity keeps thistechnology in the procurement cycles ofmany corporations.

Needless complicationIt has been long said that until any infor-mation security technology becomesseamless to the user it will not reach itsfull market potential. More specifically,current IPsec technology has long beencriticized as being gratuitously compli-cated. It is very difficult to implementdisparate vendor VPN products.

Corporations dealing with mergersand acquisitions found it difficult to in-corporate multiple vendor solutions.Andso, the Internet Engineering Task Force(IETF) took up the task of remedyingthese issues, and has vetted 17 revisionsof technical drafts that are in the finalstages of review before becoming aTechnical Standard.

The bake-offIn an effort to avoid the teething painsexperienced with the first go-around ofIPsec VPN products, ICSA Labs is hostingmultiple IPsec VPN InteroperabilityWorkshops where vendors can bringtheir IKEv2 based beta products out offof their R&D benches and test themagainst peers.

ICSA Labs started interoperability test-ing in 1998 and has conducted manythousands of interoperability certifica-tion tests.The VPN InteroperabilityWorkshops have become a tool for ICSALabs to use in providing solution imple-menters with an in-depth knowledge ofthe virtues of IPsec technology

The first such event was held inFebruary of 2005 in Silicon Valley — inSan Jose, California. Many of the vendorsjust unplugged their products from theirdevelopment labs and drove down the

101 to an itinerant ICSA Labs IPsec testlab, where they were able to set up andtest functionality and interoperabilityagainst their competitors’ products for aweek.Twenty four hour security was setup at the event to avoid any instances ofindustrial espionage; after all, the prod-ucts resting on cheap folding tables in aHotel Ballroom represented millions ofdollars in R&D spending.

CollaborationSome products were in effect ready toship to the customer while others wereclearly in the earlier stages of productdevelopment and not ready for primetime.All who attended benefited greatlyfrom the experience of being able to in-teract, communicate, and discuss theirproducts and the new underlying tech-nology. In fact it was so much of a suc-cess that planning for the next work-shop began immediately and is sched-uled to be held in Toronto Canada theweek of 19 September 2005. It was de-cided that the workshop would takeplace outside of the United States to as-sist international vendors with travel re-strictions.

Tests for the workshops are broken upinto three sets — the first dealing withbasic functionality, the second with se-cure tunnel maintenance, and the thirddealing with extended functions, such asauthentication using digital certificatesand the intricacies of communicating be-hind devices serving as network addresstranslators or NAT devices.

In the first workshop most vendorsconcentrated on and were successfulwithin the first test set, however, muchprogress has been made throughout thesummer and will yield more comprehen-sive test results in the area of re-keyingand the use of extended functions.

For information regarding the Toronto

IPSec bakeoff on 19 September 2005, see

https://www.icsalabs.com/icsa/docs/html

/communities/ipsec/bakeoff/Registration

_2.html.

The world of IPsec Virtual Private Networks (VPNs) has come to a crossroads.

Hundred of millions of dollars of R&D in a hotel ballroom