Re: Use of SSL as a VPN
From: Lassi Hippeläinen (lahippel@ieee.orgies.invalid)
Date: 02/17/03
- Next message: Rob Warnock: "Re: Password Checker"
- Previous message: Lassi Hippeläinen: "Re: Checksums used on interplanetary transmitted spacecraft data-- I am seeking information, if you have any..."
- In reply to: Matthew Lange: "Use of SSL as a VPN"
- Next in thread: dazedandconfused: "Re: Use of SSL as a VPN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Lassi Hippeläinen <lahippel@ieee.orgies.invalid> Date: Mon, 17 Feb 2003 08:45:09 GMT
Matthew Lange wrote:
>
> I hope this question has not been asked before. I haven't read this
> newsgroup in a few months...
Not here, but in the comp.security.* branch you might see it more
often...
> Here's the question: Is a SSL VPN as/more secure than an IPSEC VPN?
It can be less secure. But you have to discuss separately data security
and host security. Both are about as secure for data, but IPSec gives
better protection for the host, because it works lower in the protocol
stack.
The prices will depend on what is included. IPSec is heavy-duty and
offers better central management, i.e. it scales better to huge numbers
of users. But you probably have to buy the client and the management
system. In some cases the clients are free, if you buy the corporate end
from vendor X. (Don't be fooled - the client's are as free as the
lunch...)
SSL clients come for free. If the number of users is reasonable (doesn't
require policy-based management) their total cost shouldn't be too high.
There's also the communication cost. Cellular users don't like SSL, if
they have to negotiate a separate security association for each service.
With IPSec you can use the services of a host (or a subnet) over a
single SA.
-- Lassi
> I ask this for several reasons:
> * The business folks at my company seem to think that cheaper is better
> (i.e. SSL VPN = cheap = good and IPSEC = expensive = bad).
> * My coworker and I have done some preliminary walkthroughs of the
> SSL crypt (caveat: we're not cryptographers) and can't recommend
> SSL as a VPN solution, as it lacks (by default) perfect
> forward secrecy (PFS). It's our understanding that using DH keys
> will give you PFS.
> * Several vendors are telling us that using SSL is easy/cheap/good and
> using IPSEC is difficult/expensive/problematic and we want to dispel
> this FUD to our upper management.
>
> Can *anyone* help us here?
>
> Thanks in advance for any help with this...
>
> - Matt Lange
- Next message: Rob Warnock: "Re: Password Checker"
- Previous message: Lassi Hippeläinen: "Re: Checksums used on interplanetary transmitted spacecraft data-- I am seeking information, if you have any..."
- In reply to: Matthew Lange: "Use of SSL as a VPN"
- Next in thread: dazedandconfused: "Re: Use of SSL as a VPN"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
