1
17 Infosecurity Today September/October 2005 i c s a l a b s IPSec bake off in San José Mark Zimmerman, Program Manager, ICSA Labs T his technology was originally specced in the mid to late 1990s and imple- mented early in the automotive industry. It is now coming out with a new up- dated revision. Foremost of the capabili- ties in this new technology is the Internet Key Exchange Version 2, or IKEv2, which allows a VPN device to create secure encrypted tunnels that are able to transport information across non- secure data paths, while keeping the content safe from prying eyes. This technology became a boon in the late 1990s for any organization with geo- graphically separated offices needing to link their computer networks, and was an affordable alternative to the premium price of leased lines.With an increased focus on identity theft worldwide, the drive to assure data integrity keeps this technology in the procurement cycles of many corporations. Needless complication It has been long said that until any infor- mation security technology becomes seamless to the user it will not reach its full market potential.More specifically, current IPsec technology has long been criticized as being gratuitously compli- cated. It is very difficult to implement disparate vendor VPN products. Corporations dealing with mergers and acquisitions found it difficult to in- corporate multiple vendor solutions.And so, the Internet Engineering Task Force (IETF) took up the task of remedying these issues, and has vetted 17 revisions of technical drafts that are in the final stages of review before becoming a Technical Standard. The bake-off In an effort to avoid the teething pains experienced with the first go-around of IPsec VPN products, ICSA Labs is hosting multiple IPsec VPN Interoperability Workshops where vendors can bring their IKEv2 based beta products out off of their R&D benches and test them against peers. ICSA Labs started interoperability test- ing in 1998 and has conducted many thousands of interoperability certifica- tion tests.The VPN Interoperability Workshops have become a tool for ICSA Labs to use in providing solution imple- menters with an in-depth knowledge of the virtues of IPsec technology The first such event was held in February of 2005 in Silicon Valley — in San Jose, California. Many of the vendors just unplugged their products from their development labs and drove down the 101 to an itinerant ICSA Labs IPsec test lab, where they were able to set up and test functionality and interoperability against their competitors’ products for a week.Twenty four hour security was set up at the event to avoid any instances of industrial espionage; after all, the prod- ucts resting on cheap folding tables in a Hotel Ballroom represented millions of dollars in R&D spending. Collaboration Some products were in effect ready to ship to the customer while others were clearly in the earlier stages of product development and not ready for prime time.All who attended benefited greatly from the experience of being able to in- teract, communicate, and discuss their products and the new underlying tech- nology.In fact it was so much of a suc- cess that planning for the next work- shop began immediately and is sched- uled to be held in Toronto Canada the week of 19 September 2005. It was de- cided that the workshop would take place outside of the United States to as- sist international vendors with travel re- strictions. Tests for the workshops are broken up into three sets — the first dealing with basic functionality, the second with se- cure tunnel maintenance, and the third dealing with extended functions, such as authentication using digital certificates and the intricacies of communicating be- hind devices serving as network address translators or NAT devices. In the first workshop most vendors concentrated on and were successful within the first test set, however, much progress has been made throughout the summer and will yield more comprehen- sive test results in the area of re-keying and the use of extended functions. For information regarding the Toronto IPSec bakeoff on 19 September 2005, see https://www.icsalabs.com/icsa/docs/html /communities/ipsec/bakeoff/Registration _2.html. The world of IPsec Virtual Private Networks (VPNs) has come to a crossroads. Hundred of millions of dollars of R&D in a hotel ballroom

IPSec bake off in San José

Embed Size (px)

Citation preview

Page 1: IPSec bake off in San José

17In

fosecu

rity Tod

aySeptem

ber/October 2005

ic

sa

l

ab

s

IPSec bake off in San José Mark Zimmerman, Program Manager, ICSA Labs

This technology was originally speccedin the mid to late 1990s and imple-

mented early in the automotive industry.

It is now coming out with a new up-dated revision. Foremost of the capabili-ties in this new technology is theInternet Key Exchange Version 2, orIKEv2, which allows a VPN device tocreate secure encrypted tunnels that areable to transport information across non-secure data paths, while keeping thecontent safe from prying eyes.

This technology became a boon in thelate 1990s for any organization with geo-graphically separated offices needing tolink their computer networks, and wasan affordable alternative to the premiumprice of leased lines.With an increasedfocus on identity theft worldwide, thedrive to assure data integrity keeps thistechnology in the procurement cycles ofmany corporations.

Needless complicationIt has been long said that until any infor-mation security technology becomesseamless to the user it will not reach itsfull market potential. More specifically,current IPsec technology has long beencriticized as being gratuitously compli-cated. It is very difficult to implementdisparate vendor VPN products.

Corporations dealing with mergersand acquisitions found it difficult to in-corporate multiple vendor solutions.Andso, the Internet Engineering Task Force(IETF) took up the task of remedyingthese issues, and has vetted 17 revisionsof technical drafts that are in the finalstages of review before becoming aTechnical Standard.

The bake-offIn an effort to avoid the teething painsexperienced with the first go-around ofIPsec VPN products, ICSA Labs is hostingmultiple IPsec VPN InteroperabilityWorkshops where vendors can bringtheir IKEv2 based beta products out offof their R&D benches and test themagainst peers.

ICSA Labs started interoperability test-ing in 1998 and has conducted manythousands of interoperability certifica-tion tests.The VPN InteroperabilityWorkshops have become a tool for ICSALabs to use in providing solution imple-menters with an in-depth knowledge ofthe virtues of IPsec technology

The first such event was held inFebruary of 2005 in Silicon Valley — inSan Jose, California. Many of the vendorsjust unplugged their products from theirdevelopment labs and drove down the

101 to an itinerant ICSA Labs IPsec testlab, where they were able to set up andtest functionality and interoperabilityagainst their competitors’ products for aweek.Twenty four hour security was setup at the event to avoid any instances ofindustrial espionage; after all, the prod-ucts resting on cheap folding tables in aHotel Ballroom represented millions ofdollars in R&D spending.

CollaborationSome products were in effect ready toship to the customer while others wereclearly in the earlier stages of productdevelopment and not ready for primetime.All who attended benefited greatlyfrom the experience of being able to in-teract, communicate, and discuss theirproducts and the new underlying tech-nology. In fact it was so much of a suc-cess that planning for the next work-shop began immediately and is sched-uled to be held in Toronto Canada theweek of 19 September 2005. It was de-cided that the workshop would takeplace outside of the United States to as-sist international vendors with travel re-strictions.

Tests for the workshops are broken upinto three sets — the first dealing withbasic functionality, the second with se-cure tunnel maintenance, and the thirddealing with extended functions, such asauthentication using digital certificatesand the intricacies of communicating be-hind devices serving as network addresstranslators or NAT devices.

In the first workshop most vendorsconcentrated on and were successfulwithin the first test set, however, muchprogress has been made throughout thesummer and will yield more comprehen-sive test results in the area of re-keyingand the use of extended functions.

For information regarding the Toronto

IPSec bakeoff on 19 September 2005, see

https://www.icsalabs.com/icsa/docs/html

/communities/ipsec/bakeoff/Registration

_2.html.

The world of IPsec Virtual Private Networks (VPNs) has come to a crossroads.

Hundred of millions of dollars of R&D in a hotel ballroom

http://www.icsalabs.com/icsa/docs/html/communities/ipsec/bakeoff/Registration_2.html
http://www.icsalabs.com/icsa/docs/html/communities/ipsec/bakeoff/Registration_2.html
http://www.icsalabs.com/icsa/docs/html/communities/ipsec/bakeoff/Registration_2.html

IPSec - AH

IPSec - AH

Documents
IPsec , ipsecurity

IPsec , ipsecurity

Documents
IPSec - ESP

IPSec - ESP

Documents
IPsec - recompile.se · If IPsec is used for everything, you could turn off WPA etc, since IPsec is better anyway. ... /etc/ipsec-tools.conf

IPsec - recompile.se · If IPsec is used for everything, you could turn off WPA etc, since IPsec is better anyway. ... /etc/ipsec-tools.conf

Documents
IPsec Overview

IPsec Overview

Documents
Network Security - ISA 656 IPsec IPsec Key Management (IKE)astavrou/courses/isa_656_F07/... · Network Security - ISA 656 IPsec IPsec Key Management (IKE) Angelos Stavrou October

Network Security - ISA 656 IPsec IPsec Key Management (IKE)astavrou/courses/isa_656_F07/... · Network Security - ISA 656 IPsec IPsec Key Management (IKE) Angelos Stavrou October

Documents
Deployment of IPSec VPN VPN, IPSec, PKI, Smart Cards

Deployment of IPSec VPN VPN, IPSec, PKI, Smart Cards

Documents
6.1 Overview of IPsec Benefits of IPsec Recommended Uses of IPsec Tools Used to Configure IPsec What are Connection Security Rules ?

6.1 Overview of IPsec Benefits of IPsec Recommended Uses of IPsec Tools Used to Configure IPsec What are Connection Security Rules ?

Documents
Ipsec Cisco

Ipsec Cisco

Documents
IPSec - utc.edu

IPSec - utc.edu

Documents
IPSec V1 - Fujitsumanuals.ts.fujitsu.com/file/8768/ipsec.pdf · START-IPSEC-MONITORING / SRIPSMN: Start IPSec monitoring . . . . . . . . . . 112 STOP-IPSEC-MONITORING / SPIPSMN: Stop

IPSec V1 - Fujitsumanuals.ts.fujitsu.com/file/8768/ipsec.pdf · START-IPSEC-MONITORING / SRIPSMN: Start IPSec monitoring . . . . . . . . . . 112 STOP-IPSEC-MONITORING / SPIPSMN: Stop

Documents
IPsec - MikroTik

IPsec - MikroTik

Documents
Internet Protocol Security (IPSec) · Internet Protocol Security (IPSec) IPSec provides secure protection of IPv4, IPv6, GRE, L2TP/PPP traffic (by using IPSec in transport mode) that

Internet Protocol Security (IPSec) · Internet Protocol Security (IPSec) IPSec provides secure protection of IPv4, IPv6, GRE, L2TP/PPP traffic (by using IPSec in transport mode) that

Documents
What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux

What is in Presentation What is IPsec Why is IPsec Important IPsec Protocols IPsec Architecture How to Implement IPsec in linux

Documents
IPSec Over

IPSec Over

Documents
IPsec and ISAKMP - cisco.com · IPsec and ISAKMP • AboutTunneling,IPsec,andISAKMP, page 1 • LicensingforIPsecVPNs, page 3 • GuidelinesforIPsecVPNs, page 4 • …

IPsec and ISAKMP - cisco.com · IPsec and ISAKMP • AboutTunneling,IPsec,andISAKMP, page 1 • LicensingforIPsecVPNs, page 3 • GuidelinesforIPsecVPNs, page 4 • …

Documents
Remote access VPN IPsec - TheGreenBo€¦ · TheGreenBowTM IPsec VPN Client Application Note Remote access VPN IPsec Accessing the MRD-3xx Indsutrial 3G router using TheGreenBow IPSec

Remote access VPN IPsec - TheGreenBo€¦ · TheGreenBowTM IPsec VPN Client Application Note Remote access VPN IPsec Accessing the MRD-3xx Indsutrial 3G router using TheGreenBow IPSec

Documents
Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications

Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications

Documents
Brocade 5600 vRouter IPsec Site-to-Site VPN Reference Guide… · Brocade 5600 vRouter IPsec Site-to-Site VPN ... security vpn ipsec esp-group .....101 security vpn ipsec

Brocade 5600 vRouter IPsec Site-to-Site VPN Reference Guide… · Brocade 5600 vRouter IPsec Site-to-Site VPN ... security vpn ipsec esp-group .....101 security vpn ipsec

Documents
IPsec - web.cse.msstate.edu

IPsec - web.cse.msstate.edu

Documents
Automatic multicast IPsec by using a proactive IPsec

Automatic multicast IPsec by using a proactive IPsec

Documents
IPSEC Problem

IPSEC Problem

Documents
Agenda Introducción Problemática del envío de datos Snnifing y Spoofing de Red IPSec IPSec en arquitecturas Windows IPSec con clave compartida IPSec con

Agenda Introducción Problemática del envío de datos Snnifing y Spoofing de Red IPSec IPSec en arquitecturas Windows IPSec con clave compartida IPSec con

Documents
IPsec tutorial

IPsec tutorial

Documents
Troubleshooting Cisco IOS and PIX Firewall-Based IPSec ... Cisco... · • Firewalling and IPSec • MTU Issues • GRE over IPSec

Troubleshooting Cisco IOS and PIX Firewall-Based IPSec ... Cisco... · • Firewalling and IPSec • MTU Issues • GRE over IPSec

Documents
No Bake Desserts: 19 No Bake Dessert Recipes

No Bake Desserts: 19 No Bake Dessert Recipes

Documents
IPsec - Unical

IPsec - Unical

Documents
IPSec Certificates · IPSec Certificates ThischapterdescribesanumberofStarOSfeaturesthatsupportIPSeccertificatemanagement. ThecommandsdescribedinthischapterappearintheCLIforthisrelease

IPSec Certificates · IPSec Certificates ThischapterdescribesanumberofStarOSfeaturesthatsupportIPSeccertificatemanagement. ThecommandsdescribedinthischapterappearintheCLIforthisrelease

Documents
IPSec VPN

IPSec VPN

Documents
Iguide Ipsec

Iguide Ipsec

Documents