VPN vs SSL

Ryan Russell Ryan.Russell at sybase.com
Wed Sep 1 22:38:05 EDT 1999 



>I work at a fortune 500 company where we receive many
>request to connect our network with business partners
>over the Internet.  We have both VPN's and SSL
>connections.  What I'm looking for is a trade-off
>matrix (I'll be creating one probably) that will
>include when you use VPN or SSL and why.  I realize
>that VPN's will encrypt all traffic while SSL will
>take care of HTTP application traffic.

Well, there's the key differentiator there.  For practical
purposes, SSL is only good for HTTP (and possibly
IMAP and FTP).  VPNs can do arbitrary protocols,
dependng on product chosen.

SSH also fits into a similar good-for-a-handful-of-protocols
category.

>I also know
>that SSL is easier is to implement because everyone
>has browsers today.

Most VPN software is fairly intrusive in the client.  It would be
no fun supporting external people with your VPN client.

>I know that VPN's seem to have
>better authentication (assuming we don't use certs
>with SSL), but again our HTTP users want to use
>SSLbecause its easier.

I think that's an assumption, and possibly not correct.
You ought to be able to use even OTP mechanisms
if you do a clever, well-designed cookie mechanism.

>I also understand once IPSec clients are provided on
>each desktop (Windows 2000 for example) that VPN's
>will probably become even easier to deploy from
>aclient standpoint.

We can hope.  I wouldn't count on it being real easy for
some time still.  MS can do wonders to advance certain
makets by including something in their OS, but then
you get it MS's way.

                    Ryan


****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************

More information about the VPN mailing list