VPN vs SSL client side certificates

From: Michael Sharman (msharman_at_internode.on.net)
Date: 09/06/05

Next message: Xavier: "x509 - Server Authentication - no CN, just subject alternative Names"

Previous message: Walter Roberson: "Re: Using Skype from corporate network ... ?"
Next in thread: Leythos: "Re: VPN vs SSL client side certificates"
Reply: Volker Birk: "Re: VPN vs SSL client side certificates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 06 Sep 2005 12:48:37 +1000

Hi, I've been asked to setup a web server for a site with security
concerns. Basically they want to make sure that the data on any of the
web pages can't be accessed (accidentally or maliciously) by anyone
apart from authorised parties.

One suggestion was to setup a VPN (which I'm reading to mean some IPSEC
variant), but in my experience using protocols such as IPSEC this can
cause a lot of hassle in terms of home ADSL and/or firewall/NAT setups
that are tricky if not impossible to configure to allow IPSEC traffic.

Also, I want to reduce the difficulty in configuring access to the system.

My question is, would a simple SSL web server (e.g. Apache) with client
side certificate authentication on top of username/password access
provide equivalent security to a VPN setup (considering that the server
will _only_ run the SSL web server).

My thoughts are that provided there are no other services apart from
port 443 running on the machine then the risk of the data being
compromised is reduced to:
        - stealing the certificate from any of the authorised machines
          AND guessing or stealing a valid username/password
        - compromising the SSL protocol itself ( or it's implementation)
        (- and of course the usual social engineering or virus/trojan etc. but
these wouldn't be mitigated by a VPN anyway)

Which I think pretty much puts it close to the level of security
provided by a VPN except, I guess, the authenticated headers (AH protocol).

Am I missing anything important in this analysis? (Like can you trust
the IPSEC implementation to have less likelihood of being compromised
than the Apache SSL implementation? Or are is there any way to
compromise SSL because the TCP/IP headers aren't authenticated or
encrypted?)

Cheers,

Michael

-- 
Michael Sharman <msharman@internode.on.net>

Next message: Xavier: "x509 - Server Authentication - no CN, just subject alternative Names"

Previous message: Walter Roberson: "Re: Using Skype from corporate network ... ?"
Next in thread: Leythos: "Re: VPN vs SSL client side certificates"
Reply: Volker Birk: "Re: VPN vs SSL client side certificates"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

VPN vs SSL client side certificates
... I've been asked to setup a web server for a site with security ... One suggestion was to setup a VPN (which I'm reading to mean some IPSEC ... would a simple SSL web server with client ...
(comp.security.ssh)
Re: VPN vs SSL client side certificates
... I've been asked to setup a web server for a site with security ... There are other VPN solutions, ...
(comp.security.misc)
Re: VPN vs SSL client side certificates
... I've been asked to setup a web server for a site with security ... There are other VPN solutions, ...
(comp.security.ssh)
RE: XP Pro as Web Server w/Firewall?
... > How about if I install Virtual PC and create a small image for my web server? ... you don't expose port 80 to the web until you learn about security. ... just setup the machine correctly and go at it. ...
(microsoft.public.windowsxp.network_web)
[CORE-2010-0121] Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers
... Core Security Technologies - CoreLabs Advisory ... Multiple Vulnerabilities with 8.3 Filename Pseudonyms in Web Servers ... Nginx Web Server. ...
(Bugtraq)