Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

You know what would be cool? In my Windows server / Active Directory environment, I’d like to have a network encryption policy button on the Domain Controller that says "Just Do It". The result of pressing the "Just Do It" button would be that a best-effort IPsec policy would get pushed out to every compatible machine in the domain.

For mixed environments, it wouldn’t even need to require IPsec: just make an attempt to negotiate encryption, and if that fails, fall back to plaintext. Yes that would be susceptible to man-in-the-middle attacks, but the primary purpose of this solution wouldn’t be a bullet-proof network. The purpose would instead be - find the greatest common denominator (encryption-wise) between peers while still maintaining compatibility. Create a log when the negotiation is unsuccessful. And allow me to fine-tune and gradually lock the policy down based on that information.

Wouldn’t that be cool?

Permalink |

No Comments »

No comments yet.

RSS feed for comments on this post. TrackBack URL

Leave a comment