Enabling the intelligent network services in the presence of the end -to -end security model of Windows XP IPSec protocols

The most widely used network security strategy today, concentrates on preventing attacks from outsiders. While this is true, it ignores major attacks that might be initiated from insiders within corporate LANs. Under Windows XP/2000/2003 networks, most LAN traffic is not secured. Therefore, malicious employees, visitors, or partners might plug in sniffing devices to monitor and analyze traffic. Security countermeasures such as firewalls at the perimeter cannot prevent such attacks. Consequently, there is a high demand to adopt an end-to-end security model that ensures secure communications between any two Windows XP/2000/2003 machines. The transport mode of Windows XP IPSec protocols provides such a model. Unfortunately, this security model disables a wide range of Intelligent Network Services (INS Services) that are inevitable for operating Windows-based LANs, such as internal firewalls, Network Intrusion and Prevention Systems (NIDS and NIPS), Network Address Translation (NAT), Network Monitoring tools, and Traffic Classification, Prioritization, and Port Management services. This dissertation investigates this critical issue and provides a classification model of INS Services that precisely defines the access requirements of a wide list of INS Services. This classification model aims to provide an insight into the conflict that exists between Windows XP/2000 IPSec protocols and INS Services. To resolve this conflict, two models are presented. The first is the IP Option Field Model (IPOFM Model), a flexible and easy to implement solution that allows a wide subset of INS Services to co-exist with the transport mode of Windows 2000 IPSec protocols. It does not change the IPSec packet format or the Security Association (SA) mechanism. It does, however, need a change of processing at the source and destination Windows XP machines as well as an intermediate host that implements an INS Service. The second model is a Two Layer Protection Model (TLPM Model) which is also flexible and provides a granular solution that enables all types of INS Services to function within restrictions of the end-to-end security model of Windows 2000 IPSec Protocols in Windows Networks. It introduces changes to the IPSec packet format, SA mechanism, and processing at the source and destination Windows XP machines as well as an intermediate host that implements an INS Service. The model also introduces processing overhead, as it might need to run two different authentication and/or encryption algorithms.;Using Windows XP IPSec protocols affect several performance parameters such as scalability, latency, and throughput. Encryption algorithms play a major factor in degrading throughput of Windows XP networks. The default values of TCP parameters are not suitable for Windows XP networks that utilize Giga Ethernet technology. Tuning these parameters, mainly TCP windows size, is needed to improve the performance of Windows XP IPSec protocols. This dissertation addresses these issues and provides a quantitative analysis of Windows XP/2000/2003 IPSec protocols.