Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

SSL Vs VPN

Status
Not open for further replies.
Guest_imported

Guest_imported

New member
Jan 1, 1970
0
Hi,

Could anyone tell me when SSL is sufficient for carrying out transactions over the internet, when the transaction data includes sensitive information? When would it be necessary to employ a VPN?

Thanks
 
Sort by date Sort by votes
SSL is used to encrypt a web session only, and is needed for e-commerce. VPN permits secure remote access to your network (protocols other than so that people working from home can "dial-in" to access corporate resources (databases, source-code control systems, email, etc)

Chip H.
 
Upvote 0 Downvote
HI.

My opinion is that SSL is good enough.
You should use strong 128bit encryption, and authenticate incoming users agains strong passwords.

VPN traffic is more secure because it can encrypt at a lower layer, so an attacker will need to dig further for the sensitive info.

VPN might have a disadvantage if configured to allow full access (all internal ip addresses and ports) for remote clients. If an attacker succeeds to establish a VPN connection to your site, he will be able to do a lot more then only accessing the web site.

Bye
Yizhar Hurwitz
 
Upvote 0 Downvote
This sounds like one of the questions from last Saturday's CISA exam!
 
Upvote 0 Downvote
SSL can be "good enough" if two-way authentication is used. However, most sites simply authenticate the server to the client, not the client to the server (requires that each client have a Cert from a recognized CA).

Using one-way authentication means that the attacker knows he has the right server, but you have no idea who the attacker is.

As far as encryption protection is concerned, either is sufficient, with SSL yeilding a slightly stronger encryption than the 3DES IPSEC VPN.

You can also use the SSL algorithms for encrypting traffic other than web by using TLS. Same algorithms, key exchange and handshaking, just does it for any TCP connection.

And yizhar is correct. Even if you use a VPN, you want to restrict the ports/protocols that are allowed so that you provide some level of protection if someone hacks your VPN. Or more likely, installs a remote control trojan application on one of your VPN clients. That can happen easily if you allow people to install the client on their personal machines.

pansophic
 
Upvote 0 Downvote
SSL is bound to a single protocol http
IPSec is transport level so any service, application transmissions are protected.
I havent seen SSL change for years.
AES is pretty frickin unbreakable.
SSL is a canned old technology inclusing aventails efforts, while IPSec has more legs.

any takers?

 
Upvote 0 Downvote
most applications that are using SSL
- do not require a client certificate, because the end user needs to install something on the client
- allow downgrade SSL versions for compatibility reasons

In short : in most cases, SSL is vulnerable to a mitm attack, whereas IPSec is more mature and considered to be safer


--------------------------------------------------------------------
--------------------------------------------------------------------
How can I believe in God when just last week I got my tongue caught in the roller of an electric typewriter?
---------------------------------------------------------------------
 
Upvote 0 Downvote
Ciph,

"SSL is used to encrypt a web session only"

This is incorrect. SSL can be used for a lot of other connections and is built into other softwaer not just web browsers. It's most commonly used in HTTPS connections, but HTTPS is distinct from SSL really.

Just because most cars use tires, doesn't mean all cars use tires! Some might use, well, hmmm, I dunnno, but some might use something else! :)

Nathan aka: zaz (zaznet)
zaz@zaz.net
 
Upvote 0 Downvote
The question was
"is sufficient for carrying out transactions "

so SSL over SMTP helps her?
Didnt think so.

Yes SSL has no mechanism for going beyong 128bits in
IE unless you use certificates.

but there are pros and cons to every technology.
VPN is a network layer protection for all, some or no traffic.
SSL is an application that is also tacked onto HTTP, SMTP, or other protocols.

 
Upvote 0 Downvote
bytehd said:
Yes SSL has no mechanism for going beyong 128bits in IE unless you use certificates.
Click to expand...
Internet Explorer supports 3DES, which uses a key length of 168-bits. Also, the use of certificates in SSL is the defacto standard (the server normally identifies itself with a certificate and may request the client to do the same).

There is some bad information about SSL in this thread. If anyone is interested in learning about the SSL protocol, consider Eric Rescorla's book "SSL and TLS: Building and Designing Secure Systems", or check out the "Security Basics" forum over at Closed Socket (


 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Shmid
  • Locked
  • Question
Restricting Sonicwall SSL-VPN users for WAN access
Replies
7
Views
982
Shmid
Shmid
intel233
  • Locked
  • Question
ASA5510 - SSL Cert
Replies
0
Views
585
intel233
intel233
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
825
intel233
intel233
ISDPCMAN
  • Locked
  • Question
RDP fails over VPN
Replies
1
Views
337
gkittelson
gkittelson
WhosYourDiffie
  • Locked
  • Question
Cisco ASA 5506 VPN for Avaya Phones
Replies
0
Views
263
WhosYourDiffie
WhosYourDiffie

Part and Inventory Search

Sponsor

Back
Top