Though the IETF recently sanctioned the IP Security (IPSec) protocol as a proposed standard, IBM Corp. in the next few weeks will pitch an improved version of the protocol that the company plans to implement in products ranging from mainframes to firewalls.
IBM's proposal, to be presented shortly to the IPSec Working Group, goes beyond the baseline encryption and authentication techniques defined in the current security protocol. IBM's new proposal tackles the complex IP address management problems that arise when remote access users are allowed into an intranet using IPSec.
Though the fate of IBM's proposal is uncertain, the company will soon introduce IPSec client software based on the new technology. IBM also is busy swapping out the current IPSec protocol for the new version in its e-Network Communications Suite, which consists of firewalls and other products used to support electronic commerce applications.
According to IBM Senior Engineer Charlie Kunzinger, the new version of IPSec will solve a basic security management problem that occurs when a remote access user is allowed into a corporate intranet after proving his identity at the corporate security gateway.
"At that point, you have to change the user's IP address, and that's a problem," Kunzinger says. The user's new address needs to be assigned from a pool of corporate IP addresses so the remote user looks like part of the local network. The technology IBM is pitching can keep track of these users and restrict their access to certain resources.
IBM's technical proposal is based on ideas compiled by Ashley Laurent, a small firm in Austin, Texas, that for a decade has written network system software for industry giants. With IBM, Microsoft, Cisco and many others throwing their weight behind IPSec as the virtual private network standard of choice, Ashley Laurent has started attending IETF meetings to follow the action. And now that IBM is backing Ashley Laurent's ideas for a new IPSec, the firm - which only has nine employees - could end up leading the IETF pack.
According to Jeffrey Goodwin, Ashley Laurent CEO, the firm's Internet Name Space technology lets the IPSec gateway automatically assign an IP address to a remote access user. The firm also has developed Topology Information Exchange technology, which provides a way to transmit network topology information about Web servers and other corporate resources to a user's IPSec-based remote access software.
The Ashley Laurent technologies also extend IPSec beyond pure TCP/IP to include networks and clients that rely on Microsoft's NetBIOS over TCP and Novell's IPX/SPX.
Ashley Laurent also is currently selling its VPCom Server product, which can plug into IBM's e-Business Firewall to provide enhanced IPSec functions. Guardian Life Insurance is testing this equipment in order to allow its agents in 3,000 offices across the country to remotely access Web applications on the company's intranet.
IBM, which last October licensed Ashley Laurent's baseline IPSec implementation, now plans to integrate the Internet Name Space and Topology Information Exchange technologies across its products, including routers and the OS/390 and AIX operating systems.
To convince the IETF to adopt this new version of IPSec, IBM will need to demonstrate that it's not the only big vendor behind the technology, says Bob Moskowitz, chair of the IETF's IPSec Working Group.
"There are about six different projects floating around, including one from TimeStep, that also deal with IPSec systems configuration," he says.