Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Vista Stakes Its Future on Security



 By: Paul F. Roberts
2005-12-11
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


Rate This Article:
Poor Best
Microsoft is banking on the security enhancements in Vista to boost enterprise upgrades.

Microsoft Corp. is banking on enhancements to what it has dubbed the fundamentals to entice enterprises to upgrade to the next version of Windows, known as Vista.

The company will use upcoming industry shows to sing the praises of improvements to the Windows networking stack and secure networking techniques such as server and domain isolation to sell both Vista and "Longhorn," the planned update to Windows Server.

However, Microsoft may be swimming upstream against current technology trends and advocating changes that could roil enterprise networks, according to one analyst.

Microsoft will use the RSA Conference in San Jose, Calif., in February and the companys TechEd conference in Boston in June to demonstrate and evangelize the security enhancements in Vista and its upcoming "Longhorn" version of Windows, said Mike Schutz, group product manager for Microsofts Windows Server Division, in Redmond, Wash.

One focus of those presentations will be IPSec, a venerable protocol used for securing message data at the network layer as well as for authenticating the source of data packets sent over networks.

Resource Library:

Enterprises have historically used IPSec for VPN sessions that connect remote users to corporate resources. But Microsoft has rebuilt its TCP/IP stack "brick by brick" in Vista and Longhorn and hopes to "paint IPSec with a different brush," said Ian Hameroff, product manager for Windows server core networking at Microsoft.

"The knee-jerk reaction is that IPSec is used for VPN. We want to unlock the other value [in IPSec]," Hameroff said.

The "other value" includes server and domain isolation technologies that use IPSec and Active Directory policies to restrict access, said Michael Nash, corporate vice president in Microsofts Security Business & Technology Unit.

In Vista and Longhorn, IPSec is used to do both domain isolation—which blocks untrusted connections to domain members—and server isolation—which restricts traffic to trusted domain members and user groups—according to Microsoft.

Windows 2000 Service Pack 4, Windows Server 2003 and Windows XP SP 2 currently support server and domain isolation, but it will be much easier to deploy the technology with Vista and Longhorn, Hameroff said.

Visit the ghosts of Windows past with former and present eWEEK Labs analysts. Click here to read more.

Microsoft already uses server and domain isolation extensively on its own 275,000-device network, using Kerberos certificates to authenticate users, Hameroff said. "Were looking at scenarios that we can lead with, and server and domain isolation, which uses IPSec for enforcement, is one area where were seeing [customer] uptake," Hameroff said.

The company sees benefits for its customers in doing the same, including reduced risk of viruses, worms and DoS (denial of service) attacks, Nash said.

"If you can allow connections for machines that should be happening without also enabling connections from machines that shouldnt be happening, you reduce the threat of malware," he said.

IPSec has been difficult to deploy on enterprise networks, but Vista and Longhorn will make it easier, with new management features built into the operating systems, as well as logic to allow firewalls to handle IPSec traffic, Nash said.

Microsoft wants enterprises to begin planning changes to their networks now that will lay the groundwork for server and domain isolation. Preparing networks to do server and domain isolation will also be an excellent preparation for Microsofts other big security play in Vista and Longhorn: NAP, Schutz said.

What do developers think about the network access protection framework? Click here to read more.

"The things you need to do to get ready for NAP are relevant to deploying IPSec for server and domain isolation," he said.

The IT staff for Fulton County in Georgia agrees with that assessment. The county is a beta test site for both Vista and Longhorn, and the network staff there is sold on the idea of using IPSec to secure its network, said Robert Taylor, CIO and director of IT for Fulton County.

Using IPSec with Vista will be cheaper than the governments current network configuration, a typical network design that uses subnets to segregate users, firewalls to block attacks from outside and within the network, and terminal emulation software from Citrix Systems Inc. to connect users at branch government offices, said Keith Dickie, assistant director of networks for the county.

IPSec will also make it easier for the county to demonstrate compliance with federal and state regulations such as HIPAA (Health Insurance Portability and Accountability Act) by encrypting traffic from workers at the countys health department, Taylor said.

But widespread deployment of IPSec can also cause problems on enterprise networks, said John Pescatore, an analyst at Gartner Inc., in Stamford, Conn. "We dont think its going to work," Pescatore said. "Once you try to encrypt internal communications, your network architecture breaks.

"I hate to bet against Microsoft, but I give this a low probability," said Pescatore.

Check out eWEEK.coms for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK.com Security Center Editor Larry Seltzers Weblog.



  Reader Comments: Vista Stakes Its Future on Security
>>> Be the FIRST to comment on this article!
 

 
 
>>> More Network Security & Hardware Articles          >>> More By Paul F. Roberts
 


xr㶲(;; YڦxiJؖciƙWHHbLZ$KrϮO7t$_&6ЍFh|GggD\ݴ9w͙M5>5J`OS;S 1F㠮5Y=+[}D}F6\3Ѣfb^P+$ȁ_MM9JD֥E!m$oaX}:[S=2pYBT!OJ%h!!Qus?=x'fwgB(ƻF {iZvP;U{ah /\1r.b,{{74ɿTݑm:{ ͑w2M*-f;:9zu v=rt;'=r:;{'׼ ;AڼW@o&1W`JLTRB`d" Pc@GGYuڇ5](E~W-b)ځVP]F[<," J2~̢J :OEuuyHutzxn |c)̠V*PFfЊ%+%2\u\_?]s\/;]rҹ"ǭVY; i Of׵V\vO^MnXCyC0-ߕRMRs~8\8.?HN‘,/3`HBm۲ܺȑ\R yɽ+a(7f`X@7? eR2x&p* ߱n^S'G5ǯ/iVj5Vi?z[SĿ G/<@'LYp3Z&9T23=MHk 3!RBʼĿIK _VPJB-)\D7h+ԌTwIQQ#=^f/\R@2Al8{ØWҽTWws^ iغ\48?]7+De., s5ͷwjzaZTpx3jOWcҽ\t;6?`Ub}PhvZM]qsuTSt*Zl:׾RA^Tjr[hc2ud8԰:AGAticšwh4N@7h`C=҉:L~;ݣn]>&tfiXŞ+LPZi50C5m| &>r\l 8d$n)ssLn- σ5]ҽk:? a#0.Zm{$8ʼ E]ub3Bݷ|{ ޚꖭ,L<ģ̠O(~9-RC1z" EEKy3@ $h5az.> ŊH^KHX-Vpp(6ݞH:sGn_-KEs㙰TL٣XB YX/_23CCɴaX9{DMfT`B[ᛥDKak`F\rA+ŲMCAIQTZUj5YQř9gCיg f߅#fL{dh{ ٚM> BB11 =w :'_ ۝.ç[N=\҃1 4fgܗ n'd50K%gYA3'|(@]4>+WePÃ"`"+42[̞v(֌f;,NrByOS*,, H@,gmdz[Oq)f$ ,4tOݡ~~UkCT]ٽh@r6ҞvaXZ @-ĿEi la-W0k^. )-P|U$"6XRvӱυ%2=CM"&7k7}SkhQ6qwbQ5JȔmY;UKU4V>ڹa3 %P$wSJ$l%K wN:`3әǟGRlC2ӱD80V2PaIUU[23R%x#e\46L XbOF8]%0Z3-,*'5eGhJ3Wk8&UE8` ;fkxF3FԡeSPݷUqAʫ%ef z6,ƴH~5<2eX]2XrmwٔAutn\?09CL-s˙@0π6UT8[.#BE-Dd ??uPV/:OYͨlE+Jc\CКy]։;lRjz|pݑM% W RN0])Xk±&>,<<+ڂh0A  ~H.LbV4>\Pbr>+ eT6)5*IMxm"P/?ˇ%Ŵ谢Ԙy}Rː 0gted-> IR-zrheU-UjR9_V2:EƟR!psn.y >{VN0fA>yL J<|˰"U` |JZYPIb+ģYV WMUpn`{y~t=GhxZ `i@% p LM{jLwg ` Z7~,p,3iZH]bRYEGÙҚRzԃ!3~b_@URTҞ"8 AG^320";wF\!v̬q~q?Mqߎ3XAmŠk+sD ü z30JјPkQkIu|d*+ZR^?*n,: /6" ތbl ezפ\+ԕMOe3q1GX=x=d6 5C+jBgYb`1Of[FIeYyVum4uP"5{Hq#$˴I>N0atA*¾G.CGTTWFogMGDo0|f^%uRiEmT)ߑI[ 8zAbzQ=Y rvjT rF2R@BZNb.xœo -"ԄpLaV*c7xo~.Rȓ$ |J DrfWOqta؆Z'0Z@qIDW;^\9o^}h_/~u:W9k_dcxΥx\N{RbG!hUHV*<bShmƛ&a֖5!xndDi+%/ҹ:n]qf빨kZ ^Ok5WE.'27Le8XFsY_aY,d<0! Wtrc}E9,׀zB,2q^5D:KY96P^S(+RJ)"4FYM |Fώ[G&g <=>G&9FgpDmn/Eb}Cu<_z|oQM2Gz1?nQtvzN` s {cAO[uvp߁؁ ?O)yrosW&Nk ue>x?HАZ#=p>~挜0n3|{mv6|Of0>ovQ8}_Jowҽ{᧹mystZTcd;I6$BUUk ȾXEVe.tѕNth<>i ,Fud3tT0hApl3O7nC]~d]sTx:o~=ˤa2]a{*{7wo]VZtC.qDn&d/.)%y u OKt1ڬ/ۥ{H?wBĬhw4hTɞo ?֐u'|ȞF8^jC|yg>,d9_a}40[ɱ-Ι2HB%euw#S''Sc3HF#%kϖSϱ6mF @|Րg ;as*|b \<E¿/&qFL>>boXi~ۼmlZYh@}:m떓uYW*JM*59¦2H{'`*AY7Q)DZrv i;RdjG^)1w}Ⱦ{prf`ܜ{WhD1쿓8nӲ8J`,O ,}L.t({P6N{1aֿZȂү ,A>u爛Bl4d5i2Pq 4F)Yz%.3;xqY{?Ars)qm\,֊Sݓ LpNnk.T-i>%Ufz'ZCϔ~9#/6<:8Ab4H' SQ"J׊E"ayGlI O{jai'Pybsv xP⋧;R\&C)"or&Ul*EPo) W~X;4fTE3C$nwlS:'=wBNW*V*j)Kɢ zcXtF #t24}۔DjJDU%/޲,y#$Uq Ҟp"a:#+{s&8hJ+0N%WI %Jq$j&f ˄gQH_' IAC:`#Mm`gˇ18jw|@j|b,rB`$fo/kO=D{ z,E'@NC pK}%ė u* 0 DUvbMllZs[Fl(bAf7HM $*U"I ZtO( b6УS$WFB !B/=b*ooVL1a "M{1U*=*EE6YVc]-J)T^b񷟥2͗]dz!-*?Lvʷ+Ew/.bbbbv%E)=Ɨ󴆶5LYRۤTje<7i_Q`?a++W{O[Vѡ4?p|vZ #SI%M + <r7Jҥk[X*jJmx o` ܴ[A $F9i9x(rb4EEҥCk\t- ֐:ukNexg/R-Edcz\ZPc+7DU)Xu-{1eK^_6O8vDΆc\znYTRA `p|~4.’\m!/w_$oof(66?y$vH(.7> e>BFKIfu73tc|I-*Ip?ϲp6clnw % +ᗗ&^Hӫd2fuω趝dKXTX 3K[+OK& a);ˢWF2OHI~tooooowX-jw4z'nL/tmˤm\fEugUh@_8׭G]y71l4,V~ Ց5 $iM)GD}u5)mQolv{RZ5Γ'XM͙$@HI2QolS=+eW>F& xu`%f w&U%_ۅwf9{|%mx 5&AJJYa ˾.ip<.1ȔxB! i#WismN%1ʍmjU1Vp tI)z,ٜ1=d MnlQy'+̛N:$Y'}+%Fj6ٗo'kXVJZ~Ix5ɑ[vnHE6NSZscR=K`;m/]5p/okߚG40ӻHS)W&8ɴf5_NLcMymF$5v?h`+@M 6-0'(EQzO0m-m,щ{KRu*eyX -}-?c9.[uc=؃yG¡YIj|ubE榰$t86?ӷSSD 2Jf6\4Ցh` >/'? .\ޮb>U&ܺF?R_ӷ/K{~i 0zT_޷84;x ״d=IdF [-{8Rxr1Bv13~j3"J7? <Fs~xqsR1CX<%sZk^YR+ȈznltOƌFSj9椷 GTGR'RMx:kZj>k`ms̴ܧ5̈ ZOkaf׵ZOk]8u3Yi<1E7ZzڝZ<hfUj"ql?ufG= Y 1iqr':Ʋu@q<4j{ c?tk6٦KMµOAʥ 8I喡QDC%R&U"cMcުJ~bGtUMhբ x\֡3I\1ڣvc̝5JZP-0o@; Rtac\ϚPFs,Vji+,&_K~Cypa>9>()[ozpWӸF[Kk)q L`>- ^Rc"WVc -y29ArL' vl"mkmnBjYJ-h>#ԹxIn1K= o~{@r qa}j boEіIz# ,@Gyꊍ\DvW|P0\G~hE{ZW] d!?32sհCߑ7}R}bj<;n CO 2Y»'_A1vRw˿Ic<>-%Ri@ "PF: Ƃ![CZ71MF·:l3>Mh0v>"(S[]ă Ln'Ӄ~7]u:PL'%NfldaQ({b8M t߃3,ȏ]Klݜ(8Ãjq$P!%h$`x=9`2@2߰1ƺs1h^^}!'+$'W~:]/{9luo[uss}Ѻj_0' ^_3}i |Q)Xt 5Eš6uF\ «.Y2U94dG0=4y8r'|;[C)Qe3ʋ, Q~4V?fbz WnW˦V\k!h?gg:^ZSrZOmj6^YcsN.Mo )nu:E+MjV}QyxQ?f f_A&pj3坌rcq+ʏV}N2!>A\㴽}k3ʡ}Qogc7(_V 053?ggsAs<s <CS(?(+3a|/2"C~.`.2Ưd:_:2?.ˌ2 w3 { 忬.)>Crs~~3w Y{ _g wɹN2!(ofYNOoT8\0_JeYW@a uqQ^ }VV<_`dkt.r3/^}NF&ˣqr]!,.5PUZk3/Y[ݲWq 'Aݷ&DV)pF ;F^a1zI/a4EL=C9}54]NWn8ڜ;#}ö0Nr@*5VZ*;? #G1Q5YUdJ)'jeV*V&K=# .=M^t fM-ϡ'!pA>fJC#Dk(xYxecE>x_tm\fp0l{|yثގe@7 J5v;ŨـD@S4ŝ}]>`6.eа!,sv[F0 #|򷁞NE35,>`&<„a:AbgHIأCDO&.wB^ \ɡ=D S$n[>WdgAg|bhMxXe7M&Є2ꟻX9VX#e i_2QNǮg}I=>~Pq/) 6LG_tPxUEG0@$=Cf K0{Ơ)evͪF&A}F垓$g'_6b Fi&b3@3p6+vOR۝bNm% 1o)%*f*HrFx*DciЄΧ^p멎TgU|JA1^<#&[z>:MC2z lx$_Oxª~Saxr=& fз 57`([| ӽO?ˍߟg%\"d<l[ +" KmӤ>q¥"UJNX,8.# +t=nS;>Ba2\PGx kYoc3gzϷ[<-v;受e$\v/-J^S.t 7tlib @J> .mE73D*| X^c0У,20%95q얢enDaaNo0n,ـ&@ ֹ˱˶ E=b ѨpSTVDǮS^mǺgyeOEmE>m+ЍO|3'ȱ blX ^|޹uwq`2]g0^l,eH&}Kqd.5" $8r嵖I;;a0&iE-㨤t`C v_ʉ~ph[?҈Y>A wVǰZ.^SƠ{e75w SF u#'yQs3=z9w:n0~br8Lt4Q|J Km)3 ;ς ixv4<Tf_E@G7`yUĔfٵ\RKnrmm#{ )60MÄre"5roq=yeәJ pK8 g!0X^Zʩȩ(v}_|JѬd;j +3Og |>"Ƹ0X+n:' wޗX;yB(O:=y>C*gꙺU7_[a}BeFBl4*׭Y*?[7nxa㇫Χc)h,=P$Dq+ AHc.ɊxYΟ0m\}!l4{n_!ﭩeUUA$摭7yM1uc*.yaT셳QbmئdTi29?R{) q%֋4>!an)nǝl| n%96L]_[ P)V+)