All it does is allow networks and hosts to establish secure channels of communication. Seems like an important part of a security architecture, yet we read very little about IPsec. Short for Internet Protocol Security, IPsec is a set protocols developed by the Internet Engineering Task Force (IETF) to support secure exchanges of packets at the IP layer. IPsec delivers a point-to-point security solution by authenticating and encrypting each IP packet. With options for transport or tunnel modes, you can choose between encryption of the entire packet or encryption of the payload only. Tunnel mode is typically used to create the traditional VPNs between gateways. Transport mode is used most commonly between hosts.
Since IPsec works at the IP layer, it has an advantage over technologies such as SSL/VPN in that applications do not have to be customized or aware to leverage the secure communications. Secure connections between insecure and secure networks also can be accomplished without changes to the individual user devices or network infrastructure. IPsec also was developed as a framework and not a policy, meaning that so long as endpoints agree on authentication and encryption mechanisms, users have flexibility and options in their deployments and configurations. This benefit comes at a cost as there are a lot of options that must be dealt with in configuring and deploying gateways and host-based clients. Options can lead to complexity.
How we tested
The criterion for entry into this group was for products that provide encrypted, point-to-point remote access using IPsec. The products reviewed this month provide IPsec solutions as part of their offering. Some products focus on the delivery of this through a focused, purpose-built offering, while others offered the service as part of a combined security appliance, delivering additional features such as firewall, NAC, IPS, email/web filtering and SSL/VPN options. Some implementations focused on the client-side IPsec software designed to support connectivity to any industry standard IPsec gateway. Others focused on delivering the purpose-built appliances to deliver an enterprise-meshed solution that could be inserted into the current LAN/WAN infrastructure with very little impact.
Our testing methodology for this group consisted of using the appliances as a gateway between our internal test network and the public internet. In configuring the gateway devices, we focused on the ease of use of the interface that was provided for both the gateway/appliance initial setup and management of the device once it was installed on our network. A number of the products delivered IPsec as part of a suite of security services. We did not focus on testing the additional security components other than what was required for us to pass traffic and gather reports or alerts. We set up each appliance so that it sat on our public internet and provided IPsec connections from our internal clients or from a test machine coming through the internet. We used the vendor-provided IPsec VPN clients on our test endpoints to create various IPsec connections to the appliances.
Most of the setup on the appliance and client side was pretty straightforward. Some were a bit more complex than others, but there were no negative experiences to report. Most of the offerings delivered the traditional IPsec features and functions as expected.
In the end, this review led to several observations. The first is that for a large enterprise-wide deployment, it would make sense to give a serious look at the purpose-built products. Not only did these solutions provide performance and high availability capabilities, but the management and deployment features will allow users to keep up with changes. Also, a number of these offerings can really make it easy for small and mid-size organizations to add this level of security to its overall security architecture without requiring a high level of IT overhead. After spending time with all the products, you really wouldn't go wrong with whichever one you choose to deploy.