|
V6 Security was established in 2004 to help accelerate the adoption of end-to-end security worldwide for commercial, government and individual use, primarily through deployment of Internet Protocol Security (IPsec) transport mode. The new ('98 through today) IPsec standards and products significantly change and improve the old security model of having to rely completely on application level security with SSL/TLS, Kerberos and SSH to protect network communications.
IPsec functionality in current host operating systems enables servers to be safe from TCP/IP attacks from untrusted systems. Thus servers can safely be attached to the Internet to securely communicate with business partners and other clients without the use of VPN client tunnels. Similarly, servers located on the internal network can be protected from internal hacking by employees and other insiders. IPsec provides both host-based network access control (an "authenticating firewall") and strong but flexibly negotiated traffic protection (authentication-only, or encryption) for client-server, server-to-server and peer-to-peer scenarios.
The IPsec security model is required to be supported for Internet Protocol version 6 (IPv6). Since IPv4 IPsec is also available in nearly all client and server OS platforms, such advanced security can be deployed by IT administrators immediately, without changing applications or networks.
V6 Security services consist of:
- Providing expertise and training in the technology and deployment of Windows® IPsec. This includes knowledge of best practices, detailed IPsec product and protocol interoperability investigations, troubleshooting and custom scenarios.
- Providing security risk assessments and training in network security threat awareness - the ease with which any attacker can intercept your network traffic is such that every local link and path must be highly resistant to attack. Public tools such as Dsniff and Ettercap can readily intercept just about any LAN communication, without being detected. Since many LAN links are by design or by policy insecure (e.g. wireless hot spots), end-to-end security is required. Once unencrypted traffic is captured, open source tools like John The Ripper, and Rainbow Crack are very likely to crack user passwords to give the attacker full trusted user access.
- Providing comprehensive architecture for trusted computing and security policies that are practical and able to be implemented by current host platforms.
- Assistance with available technical safeguards for TCP/IP traffic protection to meet HiPAA, GLB, Sarbanes-Oxley (SOX), FISMA and other regulatory requirements.
- Provide decision support through technical research, analysis and testing results for IPsec and other network security protocols in the host platforms.
- Providing affordable management software tools which reduce the cost of impact assessment, rollout, and lifecycle management of IPsec.
For more information about V6 Security Services, visit our Services page.
See this guide for the most comprehensive IPsec transport mode deployment guidance available:
Domain and Server Isolation using IPsec and Group Policy
Co-authored with Microsoft® and published in March 2005, this is a 7 chapter detailed planning and management guide for using IPsec to provide host-based network access control (an "authenticating firewall"), as well as to secure TCP/IP traffic within internal networks. Requirements planning spreadsheets, troubleshooting tools and other appendices are packaged with the guide. Introductory whitepapers are available on the Windows® IPsec page.
NEW: Unblocking IPv6 Applications: Safely Connecting Through Host Firewalls with IPsec
Host firewalls have become required to defend against constant attacks from untrusted systems on the Internet and on internal networks. But they threaten the end-to-end benefits IPv6 provides to applications. To enable inbound connections, firewalls currently open holes for an application, which also opens the application and the host to untrusted attack. This paper explains how the IETF design for IP Security (IPsec) policy and Internet Key Exchange (IKEv1 and IKEv2) moderate inbound network access to the host. Thus they enable the host firewall to open holes which can be accessed only by trusted and authorized peers. IPsec-aware firewalls can provide tightly controlled access based on source identity and specific upper-level protocol connection details passed during the IKE negotiation.
|
