VPN: SSL vs. IPSEC

[DerekK]

Hi all, I've to start a VPN project and I was just wondering which are the pros and cons of both systems... Any thought?

[Raiden]

well thats a big one actually. Both are used quite alot these days.

SSLVPN :
- Mostly used as "extranet" gateway, providing a secure connection over https
- In most cases it is used for partners or remote-users, where you do not always know or trust the other side or ip.
- It is fast and does provide good encryption
- You can really almost tunnel anything these days.
- Easy to setup and administer

IPSEC:
- Very strong encryption
- Difficult to setup and administer
- Robust
- Mostly used in Site-To-Site or Hub-and-Spoke situations. Although it is also used for remote-users, Like Secureclient or Netscreen Remote
- You can tunnel between networks, hosts or by rules or crypto access-lists

This is a speedy comparison, i'll add things later if they come to mind ...

Greetz,

[DerekK]

Thank you Raiden. I guess then, that while for IPSec you need either a hardware equipment or a client software to establish a connection, with the SSL you don't? How do you connect then, I mean, how do I tunnel, ie RDP, through SSL?

Thank you again.

[bAgZ]

I use a lot of IPsec tunneling with Juniper equipment and also use Juniper SSL VPN. If you use Juniper SSL VPN to connect to your network it will first download a little java applet. This is used to transform all the requsets into an http form. So when you try to RDP or ssh over the SSL VPN it will show you all the sessions inside your browser.

[Nokia]

Hi DerekK


If you have the hardware available to you then personally I would say IPSec is the favourable option to go for.

Obviously like most things there are methods to attack an IPSec tunnel and an SSL tunnel, however MITM attacks are a little bit easier with an SSL connection (with the required information) whereas they are a touch harder with IKE/IPSec.

Historically an SSL VPN was commonly used for a VPN solution for say a temporary worker or the occasional remote/home worker who only needs access to maybe one or two machines and only for certain applications. However the advancement in SSL VPN's over the last year or two, especially by Juniper mean an SSL VPN solution is a very viable option for most organisations. Again, historically if any other type of access was required, or even a more unrestricted access to be exact then IPSec was usually the option to go for - it can be used in Extranet, Site-to-Site and Remote Access VPN's, and contrary to common belief it is not all that hard to setup if you have decent hardware.

You can even deploy both solutions fairly easily if needs be and indeed most organisations do so.

It shouldn’t really be looked at from a security point of view now-a-days, as both protocols are now very similar and provide Authentication, Integrity and Encryption for all data passing through the tunnel. What you need to ask is what your organisational requirements are and which solution will be easiest to roll out and the most affordable.