ICSA Labs White Papers

Third-Party Assurance as a Component of the Enterprise Product Selection Process

This white paper is directed to those persons within the enterprise who contribute to, influence or are ultimately responsible for the product selection function within the procurement process.


IPSEC has many different configuration options that enable an organization to tailor its VPN security to its individual needs. This positive feature of IPSEC can be overwhelming to a network engineer who is not familiar with all of the terminology and configuration options available, which can lead to interoperability problems that are difficult to diagnose. There has been much negative press regarding IPSEC implementations and interoperability due in part to the complexity of configuration. It would be a much better solution if the suite only needed to be enabled instead of having to select the right parameter for each of the numerous cryptographic options.

ICSA Labs Product Assurance Report

Two decades of certification testing has afforded ICSA Labs a great deal of experience and knowledge about common weaknesses in security products. Testing products before they hit the shelves provides insight into what is prone to happen once they leave them. We’ve learned what improves reliability and what tends to detract from it. We’ve seen first hand how often problems occur, what types occur most often, and why they occur. We’ve also seen how vendors respond to these issues and how their actions can affect consumers for better or for worse. This report is an effort to distill observations from the ICSA testing labs along with others from the security product industry over the last 20 years. It is the first step in a larger agenda at ICSA Labs to expand information sharing and collaboration with the security community. Future work will provide additional product-specific findings as well as more detailed analysis. We hope readers find these efforts helpful in their mission to protect information assets and useful to the decisions and deployments made in support of that mission.

Living On the Edge: Understanding the Network Attached Peripherals on Your Network and the Risks They Pose

Understanding the Network Attached Peripherals on Your Network and the Risks They Pose In today’s enterprise, more and more devices are becoming network enabled. Seemingly harmless devices such as printers, security cameras, and UPS systems now frequently come with an Ethernet interface for network connectivity. Most of these devices are designed to work “out of the box” with minimal configuration necessary in order to ensure ease of use. Unfortunately, with this ease of use oftentimes comes increased risk to your network. In an effort to address this emerging threat, ICSA Labs has developed a new program titled Network Attached Peripheral Security (NAPS).

IPSec VPN Advanced Troubleshooting Guide

Due to the complexity of the IKE and IPsec protocols, achieving interoperability in a multivendor environment has always been a significant challenge to VPN administrators. In 1998, ICSA Labs addressed this issue by establishing an IPsec Product Developers Consortium and an IPsec Product Certification Testing Program with interoperability as the primary focus. During the past five years, ICSA Labs analysts have been identifying interoperability problems and determining whether those problems were configuration issues or flaws in the IPsec implementation of the products. The process has helped to develop the troubleshooting skills and techniques that the analysts rely on every day.

Configuration Guidelines for ICSA Labs Certified IPsec Products, Revised Edition

ICSA Labs released the original Configuration Guidelines in October, 2003 to aid VPN administrators in achieving interoperability with ICSA Labs certified IPsec products in a multi-vendor environment. At that time ICSA Labs’ IPsec program had been in existence for more than five years. The program continues today and has expanded to include testing of implementations that support the new IKEv2 protocol (RFC 4306, with clarifications in RFC 4718). This edition contains all the information from the original guidelines, which pertains to IKEv1 VPN products, plus additional guidance for IKEv2 support. The information in this document does not contain specific configuration information for any particular implementation but is a general reference for avoiding common implementation and configuration problems.

IKEv2 Interoperability Workshop IV Test Results San Antonio, Texas

The fourth IKEv2 Interoperability Workshop, hosted by ICSA Labs, was held in San Antonio, Texas May 19-23, 2008 where eight IKEv2 implementations were tested. Of the eight, three implementations were being tested for the first time at an IKEv2 interoperability event. This report summarizes the results of the event noting some of the issues that were uncovered. Also, details of the test plan are included at the end of the report.

SSL VPN Performance Testing Challenges

SSL VPNs are fast becoming the standard for remote access solutions. In addition to providing cryptographically secure access to corporate resources for employees and business partners, SSL VPNs offer many important security features such as end point integrity verification, granular access control, flexible strong authentication options, and session cleanup capability. When evaluating an SSL VPN solution, features and functionality should be the primary concern; however, an organization must have some idea of how the solution will perform once deployed.

NSA IPv6 Fact Sheet

What is IPv6? IPv6 is short for “Internet Protocol version 6.” IPv6 is designed to replace the longtime standard network layer protocol, Internet Protocol version 4 (IPv4). With an increasing number of devices becoming network capable (mobile phones, laptops, PDAs, TVs, etc.), the number of available IPv4 addresses will soon run out. Acknowledging the addressing limitations of IPv4, the Internet Engineering Task Force (IETF) began forming the “IP Next Generation” working group in 1994, and produced what is now titled IPv6.

Factors Affecting Network IPS Throughput

Following the successful completion of network IPS testing, ICSA Labs publishes the throughput that a device was able to sustain. When reflecting upon these reported throughput numbers, end users may question any differences between what ICSA Labs reports and what the vendor claims in its datasheet for the same product. Because there is likely to be a disparity between published throughputs for the same device, end users might be interested to learn what factors can affect the throughput achieved by a network IPS.