Network World's Windows Networking Strategies Newsletter, 02/14/07

Longhorn to implement VPN-like connections between its endpoints

By Dave Kearns

It’s nice when your views are validated by the richest man in the world.

At last week’s RSA Conference, Bill Gates delivered the opening keynote and validated the idea that the firewall needs to be replaced, an idea that first surfaced in this newsletter almost a year and a half ago (see “Time to rethink the term 'firewall'” and “Enough of firewalls - how about an intelligent firedoor?”). Gates’ presentation, aided by Microsoft Chief Research and Strategy Officer Craig Mundie, ranged far and wide about security, the upcoming release of Longhorn Server and the need to build an “identity layer” into the network.

<aside> For more about that “identity layer,” and the Microsoft Identity Lifecycle Manager see this week’s newsletter on Identity Management. </aside>

Gates and Mundie talked about the need to institute secure access between a user and an application, something a traditional firewall isn’t very capable of doing because they’re mostly involved with hardware, network segments, and port controls.

Mundie said: “We have to be able to say I only trust this particular application, or I trust this person running that application in order to be able to do things. And so we really need to be able to do this with a lot more granularity.

“We also want to be able to do it in a world where everybody is just on the Internet. And so we need to move to create a way of describing these things by policy, not topology. Almost all the protection in the past has tended to gravitate around the topology of the network, you can get at this segment or not that segment, you can get at this IP address or not that IP address. But today the demands are really for a lot more flexibility, not just within the part of the network you control, but to extend to the network parts that you don't control.”

One of the tools that Longhorn will use to do this is IPSec, a set of protocols developed by the IETF to support secure exchange of packets at the IP layer. IPSec has been deployed widely to implement VPNs. In other words, Longhorn will implement VPN-like connections between and among all of its endpoints. And, in the spirit of “eating their own dog food,” according to Mundie, “…as we've studied this inside Microsoft, we actually started using IPSec to control access within our corporate network.” But it wasn’t without problems. He went on: “And the poor IT guys came back to us one day and said, hey, you know, this is technically possible but it's damn near impossible to make it work and be sure about it. And we found that they had actually had to write 4,000 rules that governed how the IPSec mechanism worked. And we realized that given that people will make mistakes, if you really want to trust these things, it's got to get a lot simpler; not just the mechanics of putting it in but putting 4,000 in is a bit too many.” Bit of an understatement there!

So they worked on the problem. And reduced the rules set needed. Mundie proudly announced: “When we release ‘Longhorn’ Server later this year, we've actually made enough changes architecturally in how we administer that and simplify it; the entire 4,000 rules at Microsoft have been collapsed to 40 rules. And I think that it's that kind of thing that is actually going to move us from thinking of IPSec as a fairly arcane technology that maybe could be used in a very specific, really, really problematic environment to one where we think it will be the way that we build this model of seamless, easy anywhere access across all these families of devices, and for all these different classes of applications.”

It was a more satisfying keynote address than I’ve seen in quite a while. If you weren’t there, you can watch a replay here, or read the transcript. But I’m beginning to like what I’m hearing about Longhorn.

Copyright Network World, Inc., 2007

Questions or problems regarding this web site should be directed to abeckman@outdoorssite.com.

Copyright © 2008 Art Beckman. All rights reserved.

Last Modified: March 9, 2008