Providing security and maintaining efficient communications are two conflicting notions. Two conflicting trends are taking place in building computer networks operated by disjointed groups.  The first one is to integrates more intelligence in the networking devices such as switches, routers, and hosts so that the network is not limited to act as communication media but rather provide intelligence services and mechanisms such as traffic prioritization and classification, bandwidth management, Quality of Service, TCP performance enhancing, Network Address Translation (NAT), firewalls, and Intrusion Detection Systems (IDS).  The second trend is to guarantee information security by providing end-to-end secure channel between communicating nodes.  This secure channel provides security services such as confidentiality, integrity, authentication, and anti-replay for each packet passing by.  With the advent of the Internet, security becomes the major building block in building networks.

The IPv4 has been designed without any security concern.  This has led to different types of attacks.  The IETF proposed the IPSec standard as the main vehicle for securing traffic in the IP network.  IPSec can be used to provide secure virtual channels for applications, a remote user to log in to the corporate private LAN, a pair of computers or even entire LANs.

Microsoft Windows operating systems are one of the major driving forces in building computer networks.  They have integrated IPSec to provide three scenarios for using it that allow users’ application data to be transparently exchanged by providing an authenticated, anti-replayed and secure channel.  These scenarios are: End-to-End Security Model between any two hosts in a LAN, Gateway-to-Gateway Security Model between two networks in a WAN, and Client-to-Gateway Security Model for remote users.

The End-to-End Security Model in Windows XP-based LAN has introduced new critical problems.  Every intermediate node in the path of Windows XP’s IPSec traffic is not allowed to access the IP header to perform intelligent functions.  The trend of integrating more sophisticated intelligent services in network devices such as routers, switches, and hosts so that they can provide traffic prioritization and classification, bandwidth management, Quality of Service, TCP performance enhancing, Network Address Translation (NAT), firewalls, and Intrusion Detection Systems (IDS), are in direct conflict with the proliferation use of Microsoft Windows’s IPSec in LANs.  With the advent of IP version 6 where IPSec is mandatory, facing these problems will be inevitable. 

The aim of this research is to highlight these problems and find the best solutions so that Microsoft Windows XP’s IPSec implementation in LANs can co-exist with the network intelligent services.  It also evaluates and analyzes the performance of the current IPSec implementation in the current Microsoft Windows OS which is Windows XP.

The detailed goals of this research are: (1) investigates the problems associated with the End-to-End Security Model of Windows XP’s IPSec and how its use in Windows-based networks might deactivate many network intelligent services; (2) evaluates some of the existing solutions and argues why they are not suitable for integration in Windows XP’s IPSec implementation; (3) proposes several solutions to these problems; (4) evaluate some of the inevitable sophisticated network services under the proposed solutions to see how each one can co-exist with these solutions; (5) present risk analysis to understand how these solutions might affect network security when it is implemented under certain conditions.

It is also the goal of this research to: (1) evaluate and analyze the Scalability of the current implementation of Windows XP’s IPSec in term of the number of Simultaneous IPSec Connections that can be established, IPSec Implementation Latency, Throughput Capacity, and CPU Utilization; (2) evaluate and analyze the interoperability of Windows XP VPN Implementation with other VPN solutions; (3) evaluate and identify the key parameters in Windows XP IPSec Implementation and how they affect performance; (4) evaluate and analyze the co-existence of Windows XP IPSec implementation with NAT Implementations