VPN vs SSL client side certificates
From: Michael Sharman (msharman_at_internode.on.net)
Date: Tue, 06 Sep 2005 12:48:37 +1000
Hi, I've been asked to setup a web server for a site with security
concerns. Basically they want to make sure that the data on any of the
web pages can't be accessed (accidentally or maliciously) by anyone
apart from authorised parties.
One suggestion was to setup a VPN (which I'm reading to mean some IPSEC
variant), but in my experience using protocols such as IPSEC this can
cause a lot of hassle in terms of home ADSL and/or firewall/NAT setups
that are tricky if not impossible to configure to allow IPSEC traffic.
Also, I want to reduce the difficulty in configuring access to the system.
My question is, would a simple SSL web server (e.g. Apache) with client
side certificate authentication on top of username/password access
provide equivalent security to a VPN setup (considering that the server
will _only_ run the SSL web server).
My thoughts are that provided there are no other services apart from
port 443 running on the machine then the risk of the data being
compromised is reduced to:
- stealing the certificate from any of the authorised machines
AND guessing or stealing a valid username/password
- compromising the SSL protocol itself ( or it's implementation)
(- and of course the usual social engineering or virus/trojan etc. but
these wouldn't be mitigated by a VPN anyway)
Which I think pretty much puts it close to the level of security
provided by a VPN except, I guess, the authenticated headers (AH protocol).
Am I missing anything important in this analysis? (Like can you trust
the IPSEC implementation to have less likelihood of being compromised
than the Apache SSL implementation? Or are is there any way to
compromise SSL because the TCP/IP headers aren't authenticated or
-- Michael Sharman <email@example.com>