IPSEC Protects Networks Inside and Out
Everybodyknows that enterprises face a host of threats from the outside, but what aboutthe all-too-real threats posed by their own employees? The big networkingvendors have traditionally concentrated on blocking the potential of dangerfrom without at the expense of curbing the inevitable danger from within.
In the lastyear, however, more networking vendors have turned their attention towardshoring up internal network security. 3Com and Intel, for example, each introduceddedicated network interface cards (NICs) for client workstations and enterpriseservers that leverage the IP Security (IPSec) protocol to encrypt datatraveling across enterprise networks.
In earlySeptember, Intel unveiled the second generation of its IPSec-compliant PRO/100S NICs -- including for the first time an IPSec-compliant mobile NIC for laptopcomputers. Based on the new 82550EY microprocessor, Intel's newest NICs cansimultaneously handle both IPSec encryption and many of the other tasksassociated with TCP processing. Intel also announced IPSec driver support forWindows 98 and Windows NT 4.0. Windows 2000 supports IPSec natively.
IPSec is asecurity protocol that defines a standard for authentication and encryptionover the Internet and over corporate intranets. Rather than establishing asecure session between two applications like Secure Sockets Layer does, IPSecencrypts all network traffic because it is supported at the network level.Because IPSec can provide up to 168-bit, triple Data Encryption Standard (3DES)encryption, it can heavily tax the host processor on a client or server.Consequently, IPSec NICs usually feature a dedicated chip that can dramaticallyimprove performance by handling IPSec encryption.
Becausemost of the data traveling across internal enterprise networks today is notencrypted, Tim Dunn, general manager of Intel's LAN access division, says hiscompany's promotion of IPSec in its networking devices represents a response toreal-world business needs.
"Whilepenetration from outsiders is clearly a problem, the unauthorized access byinsiders is a much more significant problem, and one that is probably growingas companies rapidly expand their networking equipment and add more switchesand ports," Dunn explains.
If an ITshop has open data ports that anyone can plug in to, and if all the ports onits switches and hubs aren't secure -- either closed altogether or mapped to aspecific NIC Media Access Control address -- an unscrupulous employee can usetools such as a packet sniffer to collect sensitive corporate data.
Dunn alsocontends that the lines between internal and external networks have beenblurred by the business-to-business revolution and by the close integration ofenterprise resource planning and material requirements planning systems amongdifferent companies in altogether separate geographical locations.
"Withthe advances of the Internet and the need for tighter communication withsuppliers and customers, the network is one sort of continuous network asopposed to distinct separate boundaries," he says. "And withcommunication out to your suppliers or remote workers or customers, there'sadditional opportunity for security breaches, and these have grown prettydramatically in the last few years."
Accordingto Rob Enderle, senior analyst at Giga Information Group, IPSec promotion onthe part of major vendors such as 3Com and Intel -- coupled with theincorporation of native IPSec support at the operating system level by vendorssuch as Microsoft -- could help to spur deployment of the technology amongfence-sitting enterprises. Moreover, Enderle speculates that Intel's move toextend dedicated IPSec encryption to laptop-toting users with a mobile versionof the PRO/100 S will also attract customers.
A recentstudy conducted by the FBI and by the Computer Security Institute (CSI),however, indicates most IT organizations remain more concerned about thedangers from without than about the dangers from within. According to the"Computer Crime and Security Survey," 71 percent of respondentsacknowledged that they had detected unauthorized access by insiders, but 59percent of respondents cited their Internet connection as a more frequent pointof attack compared with 38 percent citing the internal network.
Intel Corp., Beaverton, Ore., www.intel.com
3ComCorp., Santa Clara,Calif., www.3com.com
GigaInformation Group Inc.,San Francisco, www.gigaweb.com