Microsoft Corp. is banking on enhancements to what it has dubbed the fundamentals to entice enterprises to upgrade to the next version of Windows, known as Vista.
The company will use upcoming industry shows to sing the praises of improvements to the Windows networking stack and secure networking techniques such as server and domain isolation to sell both Vista and “Longhorn,” the planned update to Windows Server.
However, Microsoft may be swimming upstream against current technology trends and advocating changes that could roil enterprise networks, according to one analyst.
Microsoft will use the RSA Conference in San Jose, Calif., in February and the companys TechEd conference in Boston in June to demonstrate and evangelize the security enhancements in Vista and its upcoming “Longhorn” version of Windows, said Mike Schutz, group product manager for Microsofts Windows Server Division, in Redmond, Wash.
One focus of those presentations will be IPSec, a venerable protocol used for securing message data at the network layer as well as for authenticating the source of data packets sent over networks.
Enterprises have historically used IPSec for VPN sessions that connect remote users to corporate resources. But Microsoft has rebuilt its TCP/IP stack “brick by brick” in Vista and Longhorn and hopes to “paint IPSec with a different brush,” said Ian Hameroff, product manager for Windows server core networking at Microsoft.
“The knee-jerk reaction is that IPSec is used for VPN. We want to unlock the other value [in IPSec],” Hameroff said.
The “other value” includes server and domain isolation technologies that use IPSec and Active Directory policies to restrict access, said Michael Nash, corporate vice president in Microsofts Security Business & Technology Unit.
In Vista and Longhorn, IPSec is used to do both domain isolation—which blocks untrusted connections to domain members—and server isolation—which restricts traffic to trusted domain members and user groups—according to Microsoft.
Windows 2000 Service Pack 4, Windows Server 2003 and Windows XP SP 2 currently support server and domain isolation, but it will be much easier to deploy the technology with Vista and Longhorn, Hameroff said.
Microsoft already uses server and domain isolation extensively on its own 275,000-device network, using Kerberos certificates to authenticate users, Hameroff said. “Were looking at scenarios that we can lead with, and server and domain isolation, which uses IPSec for enforcement, is one area where were seeing [customer] uptake,” Hameroff said.
The company sees benefits for its customers in doing the same, including reduced risk of viruses, worms and DoS (denial of service) attacks, Nash said.
“If you can allow connections for machines that should be happening without also enabling connections from machines that shouldnt be happening, you reduce the threat of malware,” he said.
IPSec has been difficult to deploy on enterprise networks, but Vista and Longhorn will make it easier, with new management features built into the operating systems, as well as logic to allow firewalls to handle IPSec traffic, Nash said.
Microsoft wants enterprises to begin planning changes to their networks now that will lay the groundwork for server and domain isolation. Preparing networks to do server and domain isolation will also be an excellent preparation for Microsofts other big security play in Vista and Longhorn: NAP, Schutz said.
“The things you need to do to get ready for NAP are relevant to deploying IPSec for server and domain isolation,” he said.
The IT staff for Fulton County in Georgia agrees with that assessment. The county is a beta test site for both Vista and Longhorn, and the network staff there is sold on the idea of using IPSec to secure its network, said Robert Taylor, CIO and director of IT for Fulton County.
Using IPSec with Vista will be cheaper than the governments current network configuration, a typical network design that uses subnets to segregate users, firewalls to block attacks from outside and within the network, and terminal emulation software from Citrix Systems Inc. to connect users at branch government offices, said Keith Dickie, assistant director of networks for the county.
IPSec will also make it easier for the county to demonstrate compliance with federal and state regulations such as HIPAA (Health Insurance Portability and Accountability Act) by encrypting traffic from workers at the countys health department, Taylor said.
But widespread deployment of IPSec can also cause problems on enterprise networks, said John Pescatore, an analyst at Gartner Inc., in Stamford, Conn. “We dont think its going to work,” Pescatore said. “Once you try to encrypt internal communications, your network architecture breaks.
“I hate to bet against Microsoft, but I give this a low probability,” said Pescatore.