Encrypting and Accelerating with IPSec

ATLANTA -- Intel Corp. announced last month at Networld+Interop a plan to deliver highly secure, yet extremely fast, IP network communication. Joining the chip maker in the strategy are Microsoft Corp., Compaq Computer Corp., Entrust Technologies (www.entrust.com) and IBM Corp.

The technology in the middle of this cooperative effort is Internet Protocol Security (IPSec), an Internet Engineering Task Force (IETF, www.ietf.org) standard for encrypting data and the tunnel it passes through, while maintaining the ability to integrate digital certificates.

In his keynote address and later in a press briefing, Mark Christensen, vice president and general manager of Intel’s network business group, outlined the goal of giving businesses the opportunity for more secure networks without sacrificing speed. The companies behind the effort believe native IPSec support in their respective technologies is the key.

"Applications need to perform well, even when using the best security possible," said Ron Cully, lead product manager for Windows 2000 networking at Microsoft. "IPSec is a critical function because it uses strong technology such as DES [data encryption standard] and triple DES." DES is 56-bit encryption and triple DES is 168-bit encryption.

Windows 2000, and more importantly Active Directory, will include native support for IPSec. By doing this, Cully says Active Directory can be used to implement both policy and trust in a network. He also says adding these technologies is productive to the Microsoft bottom line. "Networking is going to be a compelling reason to go to Windows 2000 [as are other] things not back ported to 9x," he explains.

Greg Lang, vice president and general manager of the network interface division at Intel, says the reason his company looked to the Windows platform was because Microsoft was already in the development stage for IPSec. He stresses, however, that this technology will be available, even if clients are not using Windows 2000. In a remote access situation, Point-to-Point Tunneling Protocol (PPTP) will be used until the client gets to the network. Level 2 Tunneling Protocol (L2TP) would become the security agent once the client is inside.

Intel will deliver several network chipsets that accelerate encryption with native IPSec support and are optimized for Windows 2000 so there is an off-load on authentication. A chipset that combines the Intel 82559C Fast Ethernet Controller and the Intel 82594ED Network Encryption Co-Processor and allows the PC or server to offload network security functions from the CPU is available in the United States. Adapters and LAN-on-motherboard (LOM) solutions that incorporate the chipset will be available later this year.

Intel will also provide a software-only solution called Intel Packet Protect. The product will help previous versions of Intel adapters to support IPSec for older operating systems. Intel's network security-enabled products will feature a network security chipset and support Intel Single Drive Technology, which the company says facilitates the management of a company's network by helping network administrators more easily manage desktop, server and mobile adapters from a single console or by using a single driver.

"The basic trick is you have to be able to both virtually separate the network but you don't want to thwart your investment in performance monitoring as well," says Abner Germanow, senior analyst with International Data Corp. (IDC, www.idc.com). "You need to make sure your encryption and VPN solution doesn't take you backwards in terms of control over your network."

Because of tight encryption all around the network, programs such as packet sniffers wouldn’t be able to read the traffic, but as Germanow mentions that could create a dilemma for a network administrator who needs to intercept and read that data. The vendors said no technology yet exists to circumvent this problem.

"You'll probably see that change over the next 12 months," Germanow says. "Even if the network administrator can't see exactly what the traffic consists of, there's no reason they can't see where it's coming from and get all the controls they're used to having in the network."

Compaq’s and IBM’s part in the solution is to provide desktop devices that will incorporate IPSec technology. Ray Frigo, vice president of solutions and strategies for commercial desktops at Compaq, says network trust starts with the client. The three security measures that can be implemented are password, smartcard and biometrics. Compaq offers all of these services with IPSec support.

A big question surrounding this effort is will companies implement these types of security? "The issue comes to having an extra cost for another device on the desktop," IDC's Germanow explains. "The ability for the IT department to justify the expense is very difficult. You certainly see corporations being very interested in biometrics and smartcards, not to increase security for applications but to make it easier for their employees to access the system in a secure fashion."

The role of security solutions vendor Entrust is to provide the public key infrastructure (PKI) by integrating its confidential electronic method for identification verification with Intel's Fast Ethernet connectivity products. The Intel/Entrust Interoperability Alliance was formed to extend and enhance a more protected network environment with public certificate-based security across current and future software and hardware solutions.

Germanow says the end-to-end IPSec plan is something companies won't be using in widespread implementations for at least 18 months. He compares it to 10/100 Ethernet cards, where administrators installed the cards throughout the environment even though 100 Mbps wouldn't be available for some time. Likewise, administrators can begin installing Intel network cards now and turn them on later, after a widespread deployment of Windows 2000 Professional, for example.