VPN vs SSL
Rick Smith
rick_smith at securecomputing.com
Fri Sep 3 12:21:11 EDT 1999
The choice really depends on the business requiements - what must you
achieve and how much flexibility do you have to modify work processes. It
sounds as if you already have SSL in place, or at least you realize it's
off the shelf today so you could start using it tomorrow.
Today, IPSEC seems better suited for site to site crypto. It puts the
fewest restrictions on application protocols. Road warriors can use it on
laptops, of course, but it's still much harder to manage than SSL, which
makes it less reliable. Client based public key authentication is available
in both IPSEC and SSL, but it's not common enough that people in general
understand how to use it reliably and safely. So it's best to restrict
On the other hand, you need to be clever about structuring your network if
you're giving your business partners IPSEC access to it. Ideally, you neet
internal firewalls to keep company sensitive information and services away
from the outsiders.
If the business partners are mostly going to access Web based resources,
then SSL is an obvious choice. Most information these days can be twisted
into something that can live on a web page. That might be easier than
managing the security implications of giving outsiders access to your
internal proprietary network.
If you're concerned about password sharing in Web accesses, you can buy
third party authentication solutions (like the tokens from Safeword and
SecureID). People can't give access to other people without giving up their
token as well.
Rick.
smith at securecomputing.com
"Internet Cryptography" at http://www.visi.com/crypto/
****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
We are currently experiencing "unsubscribe" difficulties. If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com
****************************************************************
More information about the VPN
mailing list