IPsec vs SSH (Was Re: in.telnetd vulnerability??)

From: Darren Moffat (Darren.Moffat@eng.sun.com)
Date: 08/03/01 

Message-Id: <200108032116.f73LGjb984839@jurassic.eng.sun.com>
Date: Fri, 3 Aug 2001 14:15:28 -0700 (PDT)
From: Darren Moffat <Darren.Moffat@eng.sun.com>
Subject: IPsec vs SSH (Was Re: in.telnetd vulnerability??)
To: adam@gmi.com

>unsupported configuration. So I've been kicking around ssh vs. ipsec
>internally. im leaning towards either ipsec or skip (total ip encryption) as
>opposed to just ssh. (granted, the vulnerability is still there, but yeah.)

Just to add more to the mix, what about kerberized telnet/rlogin/rsh/ftp/NFS.

On the IPsec vs SSH: they two protocols have very different goals.

IPsec is about protecting verything on the network and isn't about user
authentication.

The SSH protocols contains user and host authentication as well as provision
for protecting the traffic on route, but it is really just telnet on some
serious drugs.

What exactly is the threat you want to protect against ?

If it is just network snooping and you control the whole network then
IPsec might be a very good idea, since SSH only helps the "remote login"
traffic it won't help your SQL lookups to your Oracle DB or your http
lookups to that important intranet site.

Both are very good solutions for what they do but you need to fully
understand what it is you want to protect against.

IPsec and Kerberos (via SEAM) are your options if you want a fully
supported solution from Sun. 

--
Darren J Moffat

Relevant Pages

  • Re: IPsec vs SSH (Was Re: in.telnetd vulnerability??)
    ... Subject: IPsec vs SSH ... right, the user authentication part is not much of an issue, because the network is fairly secure, ie who is accessing it and such. ... >for protecting the traffic on route, but it is really just telnet on some ...
    (Focus-SUN)
  • Re: [fw-wiz] Communication Device Protocols from Externalrouter d irectthrough Firewall
    ... Understood but let me clarify the IPSec tunnels. ... all services should not enter you network but if ... version of SSH that is vulnerable to a remote exploit you are sunk. ... SSH is a VPN protocol like others. ...
    (Firewall-Wizards)
  • Re: Frage zu Ports
    ... > mir einen SSH Tunnel oder IPSec vorstellen. ... Endpunkten aufgemacht. ... Bei IPSec kann ich da (echt VPN) zwei Netzwerke ...
    (microsoft.public.de.security.netzwerk.sicherheit)
  • Re: automatic cipher ("none") selection?
    ... KL> encrypted paths? ... KL> have IPsec, there's no reason for me to expend the processor time ... KL> encrypt the SSH session. ... the protections afforded by SSH and IPSec do not have the same ...
    (comp.security.ssh)
  • Re: [OpenVMS, DECnet] How to do DECnet over - secure (ssh, ssl) - IP ? IP ? IP ?
    ... >> encryption for telnet and file transfer, so we got SSH. ... >> futher and designed a way to tunnel other IP traffic over SSH. ... I assume it will be possible to encrypt DECnet over IP ... >> with IPsec, but alas we have to wait just a little bit longer before ...
    (comp.os.vms)