This is not your father's IPsec

I’m just back from a quick trip out to New York City. A few members of the Windows networking program management team and I met with a bunch of key customers to chat about networking and security. Our goal was to learn more about the challenges they are facing and how our current and future technologies can help address them. Pretty much customer engagement 101, right?

Well, it wasn’t usual to hear that companies, like these, continue to struggle with such network-based risks as rogue devices, malicious code attacks and protecting intellectual property (on and off the wire). It was great to see how many of them immediately warmed up to the idea of using IPsec (Internet Protocol security) as a means to better secure their internal networks (that’s right, not just remote access) to help better mitigate these risks/challenges.

As the title of this post implies, this isn’t the same IPsec most people immediately identify with as a VPN or other tunneling and/or network encryption solution. Instead, we are talking about using IPsec’s other, somewhat lesser known, features to dynamically segment a Windows infrastructure into more secure, logically isolated “virtual” networks. At Microsoft, we call this approach “Server and Domain Isolation” and we’re starting seeing a huge up-tick in customer adoption.

Why? Well, there are three things:

First, it’s a fairly new usage scenario for IPsec. A few years back, our own Microsoft IT department was looking for a way to better protect our corporate network from malicious code attacks (like viruses and worms). As you can imagine, we’ve got a huge network, with all the challenges related with remote access, contractors and partners “on LAN”, etc. that any sized organization faces each and everyday. To add to our existing defense-in-depth approach, MSIT needed a solution that would not require them to completely “rewire” the corporate network, but instead could be layered on top of it, to segment (and isolate) the hosts we managed from rouge and/or unmanaged devices. This was important to further reduce the attack surface area of our network, ensure that machines that are not subject to our host health policies (e.g. latest updates, antivirus signatures, host firewall, and so on) are not able to introduce network security threats that could impact our operations and help us comply with such regulations as Sarbanes-Oxley (SOX).

After looking through a number of options, MSIT built a solution (now called SecureNet) with IPsec, Active Directory Group Policy and our existing Kerberos and PKI credentialing. This was the first implementation of the Server and Domain Isolation approach, although we learned that a few other customers had also developed a similar solution in the same organic fashion.

You can learn more about SecureNet from this Microsoft IT Showcase:
http://www.microsoft.com/technet/itsolutions/msit/security/IPsecdomisolwp.mspx

Second, we’ve spent this last year focused on growing awareness of Server and Domain Isolation amongst our own field and with customers. Did any of you caught the session Gene Ferioli and I presented at IT Forum last November? You can see an example of such efforts as evidenced by our recently launched “Server and Domain Isolation” TechNet site here:
http://www.microsoft.com/sdisolation

Another example, is this recent article I wrote for the US IPv6 Summit’s monthly newsletter – 6Sense – on the subject of using IPsec (as a part of a Server and Domain Isolation solution) to help sure up your existing IPv4 network to enable a more secure transition to IPv6 - IPsec: Securing Your Network Today to Prepare for Tomorrow

Lastly, the excitement created around our Network Access Protection (NAP) initiative has also helped spotlight how IPsec can be used as a network isolation solution. 

IPsec is one of the four planned enforcement mechanisms NAP will use to control access to the corporate network based on the host’s health (aka its compliance to the corporate security and configuration policies). Even though NAP is shipping as part of the “Longhorn” wave of Windows (the client portion in Windows Vista and the backend in Windows Server “Longhorn”), customers are able to start laying the foundation by implementing Server and Domain Isolation today (which is supported on Windows Server 2003, Windows XP and Windows 2000).

So, I encourage you to take a look at this new way to use IPsec and what Server and Domain Isolation can do for you, on your existing Windows infrastructure, all without the need to “rip and replace” your existing security solutions, change your existing network gear or re-engineer your applications.