Windows 2000's VPN-Related Security Issues - continued

According to a Microsoft white paper, "Embedding L2TP in IPsec provides the best standards-based solution for multi-vendor, interoperable client-to-gateway VPN scenarios." But Microsoft didn't stop with a strong recommendation: Microsoft eliminated support for native IPsec between client and gateway.

Other vendors don't necessarily agree with Microsoft's approach. A newsletter published by IPsec software vendor Ashley Laurent states "Newbridge, Radguard, Checkpoint, Ashley Laurent, and others have stepped up to complain about the deficiencies in native Windows 2000 VPN support."

January statements made to the press by these four vendors were far from complementary. Newbridge TimeStep VP Tim Hember stated "L2TP will be a burden on the customer." The top concern: 40-50 bytes of per-packet overhead added by L2TP.

Until vendors reach consensus on proposals for L2TP compression, the added overhead might cause IP fragmentation and reduce performance on low bandwidth dial-up links. But, as CheckPoint's Mark Elliott put it, "We have to support the Microsoft client because we presume it will become the general enterprise desktop client."

Issues To Watch Out For
Interoperability  Because of the L2TP/IPsec brouhaha, the odds of immediate Windows 2000 IPsec client interoperability with your existing VPN gateway aren't great. In the near term, be on the lookout for remote access mismatches between the Windows 2000 client and IPsec-enabled firewalls, routers, and security gateways. At NetWorld+Interop last September, six vendors — Cisco, Nortel, Ascend (Lucent), Altiga Networks, and Routerware — demonstrated IPsec interoperability with Windows 2000 in the Microsoft Partners Pavillion.

Gateway-to-gateway interoperability testing was also performed on the InteropNet. But this week's spot-check of VPN vendor websites did not yet show widespread compatibility with Windows 2000 IPsec. Only a few sites claimed released product support for Windows 2000. Among those who did: Altiga, AXENT, and Compatible Systems (Compatible Systems was recently acquired by Cisco). Nortel will support their client on Windows 2000 in the upcoming 2.61 release of Contivity.

Third party IPSec software   A few vendors will port their own IPsec client to Windows 2000; many more will support the Windows 2000 client. But expect non-Microsoft IPsec client software to stick around — at least for awhile. IRE's SafeNet SoftPK IPsec client is now marketed by major VPN vendors 3Com, Cisco, Lucent, Nortel, and NetScreen, among others. Ashley-Laurent's VPcom IPsec client is marketed by IBM and WatchGuard. Third-party and vendor-specific clients offer the best hope for turnkey interoperability with existing devices right now.

In the long run, add-on clients may become irrelevant, much the way that third-party TCP stacks disappeared when Microsoft added TCP to Windows 95. But non-Microsoft IPsec clients are likely retain their hold on Windows 9x and NT, perhaps branching out to other OSs that lack embedded IPsec client support.

IP co-processors?   Also watch for "IPsec on a card" co-processors to emerge for desktops. Intel and 3Com recently started shipping IPsec-enabled Ethernet cards that offload checksum and encryption from desktops and servers running Windows 2000. For example, 3Com's 3CR9990 is said to support ESP with 3DES and MD5 at 90 Mbps, decreasing PC CPU utilization from over 80% without the card to 20% with the card.

These NICs are for LANs, not WANs: they enable end-to-end transport mode IPsec between desktops, or desktop to server. But can co-processor support for WAN dial-up adapters or LAN/WAN "combo cards" be far off? These cards may speed Windows 2000 rollout by security-conscious enterprises — the same customers who care enough about security to outsource remote access VPN services.

If you use PPTP   Finally, any ISP that uses PPTP in a remote access VPN service should start working on a transition plan. Vendors like IndusRiver and Nortel have verified interoperability with Windows 2000 PPTP; upward compatibility issues appear to be minimal. Microsoft's official position: "PPTP provides simple-to-use, lower-cost VPN security" for customers who "do not require the sophistication of IPsec, who do not want to deploy PKI, or who require a NAT-capable VPN protocol." But PPTP is considered weak by many security experts.

Industry advances like embedding PKI and IPsec in Windows 2000 will eventually bring down the cost and complexity of IPsec deployment. Expect to migrate PPTP users to L2TP/IPsec, and you won't be caught by surprise when users demand an upgrade or Microsoft finally pulls the plug on PPTP.

 —End

Return to the Top of this story