To Encrypt or not to encrypt

I ran across a blog entry “IPSec Everywhere, Bad Idea” on another blog. It seems that the post author went to a company that was very proud that they had implemented internal domain isolation using IPSEC.
I’m not entirely sure if the author jumped to the conclusion that this mean they were using encryption. Perhaps they were. However, Microsoft recommends implementing domain isolation through the use of IPSec ESP-NULL. This means that you are authenticating the people who are talking to you. Not encrypting all the traffic.
This technique is an alternative to 802.1x that may be easier to implement. Microsoft has a paper on this called Improving Security with Domain Isolation.
There are alternatives. 801.1x, personal firewalls, access lists on the router and pix blades within your core switches. This one seems relatively easy to deploy. Is a cure all? Of course not. There are still problems of the infected machine that is part of your network. Network authentication does not equal a clean machine. It just means that the computer is known.
Untrusted devices should not be allowed access to the trusted servers.

One Comment

  1. Thanks for the thoughtful posting. Just to clarify, they were using encryption. I think the problem is that the folks on the front line (IT staff) are gungho about security, but perhaps not always as well educated about security issues as they could be.
    –Randy

Comments are closed.