I couldn’t make last week’s RSA Conference in San Francisco because of other commitments, but I was interested to read the transcript of the keynote session given by Bill Gates and Craig Mundie. In particular the comments about moving away from physical security perimeters took me back fifteen years to my days at Shell when we first addressed the problem of how to manage connectivity and access control across shared networks. In those days IPsec looked a promising solution but that was before VOIP had entered the equation and before we experienced the pitfalls associated with making IPsec work across organisational boundaries. I tend to agree with Paul Simmond’s reported comments on the Microsoft keynote address. IPsec is not the solution. We need security at higher levels (in OSI model terms). The Jericho Forum has been studying these problems for several years. Microsoft should learn from their not inconsiderable experience.
And by the way, if you do rely on IPsec for your security, do check out the learning points from Royal Holloway University’s research on how to break badly configured implementations.