Re: VPN vs SSL client side certificates

• Previous message: santhi: "Re: Want Agent Forwarding related sites"
• In reply to:(deleted message) Leythos: "Re: VPN vs SSL client side certificates"
• Next in thread: Volker Birk: "Re: VPN vs SSL client side certificates"
• Reply: Volker Birk: "Re: VPN vs SSL client side certificates"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Thu, 08 Sep 2005 16:33:50 +1000

Leythos wrote:

>
> If you setup SSL on the server and provide secure passwords, then the
> only way that unauthorized users will get in is to crack a password to
> an exploit in the OS.

To lower the risk of password compromise I'm planning to use client side
certificates to authenticate as well as the passwords, so that a
stolen/cracked password isn't enough.

I guess an exploit in the OS is always possible (but the attack surface
would be reduced by only running the SSL's http server on port 443 and
refusing connections from general public)

>
>
> Since I always put services behind firewalls - one that also act as
> IPSec and PPTP endpoints, I would suggest that you setup a Firewall
> Appliance with VPN endpoint access and let people PPTP into the firewall
> and then have a rule that permits authenticated users to access the
> website through the tunnel.

Yes, I'll certainly be putting the service behind a firewall of some
sort, but was wondering what (if any) value there is of using IPSEC to
encrypt the already encrypted SSL traffic, it seems unnecessary given
that I only want to expose a https service.

Is a VPN useful given that I'm using SSL in this circumstance?

What security does IPSEC provide that SSL doesn't?

Would the IPSEC implementation in a firewall appliance be more trust
worthy than Apache-SSL?

• Previous message: santhi: "Re: Want Agent Forwarding related sites"
• In reply to:(deleted message) Leythos: "Re: VPN vs SSL client side certificates"
• Next in thread: Volker Birk: "Re: VPN vs SSL client side certificates"
• Reply: Volker Birk: "Re: VPN vs SSL client side certificates"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: VPN vs SSL client side certificates ... > If you setup SSL on the server and provide secure passwords, ... > only way that unauthorized users will get in is to crack a password to ... > IPSec and PPTP endpoints, I would suggest that you setup a Firewall ... (comp.security.misc) [fw-wiz] Integrating firewall into crypto infrastructure? ... (SSL this time. ... I am going to SSLify proxies on my firewall. ... but IPsec unfortunately does not provide application-level ... What is the proper way to link certificates to peers in firewall ... (Firewall-Wizards) Re: where to put SQL Server ? ... seuggest me that ipsec is an "overkill" ... i don't believe i go to use ssl ... > This is the most secure lan configuration, but is not very simple to ... (microsoft.public.windows.server.security) Re: VPN protocols ... Go for PPTP or L2TP ... Must: IPSec or SSL ... (Security-Basics) Re: Ace Password Sniffer : How does it work ? ... >> Another protocol that offers same is IPSec. ... >> authentication and secure transfer of data between server and client ... >> would be pretty hard to use SSL to secure data exchanged between ... Once you are done with the secured login, ... (microsoft.public.security)