My organization has a security office who is trying to make our IT department's security posture hyper-secure. One suggestion that the security officer is pushing hard is that all internal "data in transit" is encrypted with IPSec (they're not talking about WLAN). He envisions our Windows servers and our Windows XP clients transferring data only over IPSec with AH and ESP only (OS doing the encryption). Nothing in the clear on the LAN.
While I understand the need for security, encryption for "data at rest" and the absolute need for encryption as one of the security elements outside of our corporate LAN, it seems to me that we would lose a lot more than we gain if this proposal is implemented by management. My concerns are:
1. We lose the ability to effectively apply QoS / CoS based on application type (everything comes across as port 500)
2. Losing QoS / CoS makes our multi-service network supporting Unified Communications (VoIP) much less predictable
3. We lose the ability to create an Application aware network (meaning I can't apply PBR, advanced security features such as the ASA BotNet detector, have automatic trust boundarys set up with CDP, etc.)
4. Because it appears that the network becomes little more than dumb pipes, if a server becomes compromised, we have no additional lines of defense (meaning we don't have network based behavior analytics, firewall policies, in-line AV, IPS/IDS, etc.)
5. We lose the ability to use tools like NetFlow and perhaps IPSLA.
It seems that if complete LAN encryption (using the OS has the encrypting engine) does turn the network in to dumb pipes, the network actually becomes less secure.
Is anyone actually performing total LAN encryption or is this just a security pipe dream? If someone is doing this, how is QoS / CoS supported? How is capacity planning performed? How do you identify top applications (many of our applications reside on the same server and have the same IP address)?
If this is a bad concept what kind of technical rebuttles should be used?
Thanks for your feed back!