Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

Need Just Do It option for IPsec

September 8, 2007

You know what would be cool? In my Windows server / Active Directory environment, I’d like to have a network encryption policy button on the Domain Controller that says "Just Do It". The result of pressing the "Just Do It" button would be that a best-effort IPsec policy would get pushed out to every compatible machine in the domain.

For mixed environments, it wouldn’t even need to require IPsec: just make an attempt to negotiate encryption, and if that fails, fall back to plaintext. Yes that would be susceptible to man-in-the-middle attacks, but the primary purpose of this solution wouldn’t be a bullet-proof network. The purpose would instead be - find the greatest common denominator (encryption-wise) between peers while still maintaining compatibility. Create a log when the negotiation is unsuccessful. And allow me to fine-tune and gradually lock the policy down based on that information.

Wouldn’t that be cool?

Search:

Archives

Recent Posts

• Debugging a NAP HRA on an Enterprise CA
• Installing Hyper-V on a Dell PowerEdge server
• Two classic Bill Gates-isms
• Microsoft Hyper-V finally RTMs
• JW Secure is now a Microsoft Certified Partner

RSS Feed

Blogroll

Security Focus: