IPSec Forum to Test VPN Interoperability

Several security vendors formed the IPSec Developers Forum (www.ip-sec.com) to test the interoperability of IPSec and link virtual private network (VPN) vendors.

IPSec, the Internet Protocol Security encryption standard for VPNs, is gaining acceptance among vendors of encryption gear and is becoming a requirement for many companies looking to implement VPNs.

The forum will provide the means to match certified IPSec vendors that want to check their products against the IPSec standard and against other IPSec vendor products. The forum will not, however, certify systems as IPSec compliant. It will support the efforts of the International Computer Security Association (ICSA, www.icsa.net) and the Internet Engineering Task Force (IETF, www.ietf.org) by helping new VPN vendors evaluate their compliance with the IPSec standard. The ICSA will retain the responsibility of certifying IPSec and other security products.

The ICSA and the forum are doing, "more of a division of labor," says Robert Moskowitz, senior technical director of the research outreach and strategies group at ICSA, because they are working together to develop IPSec certification criteria and security standards.

"We need more of this sort of cooperation between vendors," Moskowitz says.

The IPSec standard is a series of guidelines for the protection of Internet Protocol (IP) communications. It specifies ways for securing private information transmitted over public networks. IPSec supports several methods of protecting data: encryption, proof of sender, detection of data tampering, and defense against unauthorized resending of data. The IPSec standard also specifies methods for key management.

The Internet Key Exchange (IKE), developed by the IETF, is IPSec’s key management protocol. A series of steps that establishes keys for encrypting and decrypting information, the IKE defines a language through which communication between two parties is based. Together, IPSec and IKE standardize the way data protection is performed so different vendors can create interoperable VPN.

Radguard Inc. (www.radguard.com), the founding member of the forum, is the first company to make its ICSA IPSec-certified product accessible for interoperability testing. The availability of Radguard’s product enables "companies to check if their products are compatible with other IPSec products," says Avi Rembaum, marketing communications manager at Radguard and an IPSec Developers Forum spokesperson.

With the creation of the forum and the existence of an IPSec standard, corporations will have the freedom to choose a vendor without worrying that they will have to implement new security solutions if their VPN needs change.

"If thousands of companies need to talk to each other, it's not fair to say that everybody has to use the same security," Rembaum says.

The Canadian auto industry, for instance, has embraced IPSec for its Automotive Network eXchange program (ANX). By ensuring that all members of the program have interoperable VPNs, thousands of parts manufacturers and factories can communicate privately and securely with each other over the Internet. "The IPSec part of the VPN makes the VPN possible," Rembaum says.

Members of the IPSec Developer’s Forum would like to see as many vendors join as possible. They would also like to see the forum forge ties with companies involved with IPSec and VPNs that aren't vendors. Ultimately, and most importantly, when information is posted on the IPSec Web site customers will be able to use the forum to see which products are compatible.

Despite its ambition, the forum may hit some bumps in the road on the way to achieving its goals. Radguard, as both a charter member and a vendor, is the strongest force promoting the IPSec Developers Forum. It is unknown how other vendors will respond to this dual capacity.

Services Supported by IPSec

  • Confidentiality: Encryption of data
  • Authenticity: Gives proof of sender
  • Integrity: Detects data tampering
  • Replay Protection: Defends against unauthorized resending of data