VPN vs SSL

Eric Henriksen eric_h at Earthlink.Net
Fri Sep 3 10:26:29 EDT 1999


----- Original Message -----
From: lum <lum at infoexpress.com>
To: fishin <fishin11 at yahoo.com>; <vpn at listserv.secnetgroup.com>
Sent: Thursday, September 02, 1999 2:15 PM
Subject: Re: VPN vs SSL


> >I work at a fortune 500 company where we receive many
> >request to connect our network with business partners
> >over the Internet.  We have both VPN's and SSL
> >connections.  What I'm looking for is a trade-off
> >matrix (I'll be creating one probably) that will
> >include when you use VPN or SSL and why.  I realize
> >that VPN's will encrypt all traffic while SSL will
> >take care of HTTP application traffic.  I also know
> >that SSL is easier is to implement because everyone
> >has browsers today.  I know that VPN's seem to have
> >better authentication (assuming we don't use certs
> >with SSL), but again our HTTP users want to use
> >SSLbecause its easier.
>
> There doesn't need to be a tradeoff since some VPNs, like ours, can tunnel
> though SSL from corporate networks. We've found that remote access from
> business partners is somewhat different from remote access for internal
> users because the administrative domain is different, the configuration is
> much more challenging, and the level of transparency has to be much
higher.

Why would you want to tunnel VPN (IPSec?) through an SSL connection?
Seems that IPSec would handle the browser traffic, but not necessarily the
reverse, as lum indicates.  I'd love to see the trade-off matrix, as I
believe
there are real applications for thin client, limited security when the
remote
clients are not under direct adminstrative control, and web services can
address
the needs.

However, as Stacey indicates, EDI, or extranet partner links tend to be
more demanding in the breadth of applications (ports and services) that are
required, as well as needing stronger authentication due to the more
'direct'
interconnection between the peer networks.
>
> >I also understand once IPSec clients are provided on
> >each desktop (Windows 2000 for example) that VPN's
> >will probably become even easier to deploy from
> >aclient standpoint.
>
> For remote access extranets, Windows 2000 will make it easier only if
> companies open up their firewalls to allow bidirectional AH, ESP, and UDP
> for IKE. Of course, these protocols are all stateless which creates all
> sorts of interesting security scenarios.
>
> Because features in the operating system shouldn't drive security policy
at
> the firewall, I suspect that Win2000 won't change much in the way of
> deployment for your scenario. Even ignoring the security issues, there's
> the issues involved with merging Microsoft's authentication infrastructure
> between corporations over a very public Internet.

Don't hold you breath for IPSec under W2000.  It's not baked yet, and
will likely have some issues upon general availability.  However, once here,
(and assuming CA technology is broadly available or shared keys are
sufficient) this will relieve a major burden from the VPN market - vendors
and customers alike.  Keeping up with MS code updates and lack
of forward compatibilty across their own stuff is not fun for anyone.

Firewall issues are currently being addressed through both the integration
of firewall and VPN technology, as well as the continued acceptance
of VPN gateways as secure devices with public and private interfaces
to serve private extranet traffic in much the same way that firewalls
server public Internet traffic.

>
> Regards,
> Stacey Lum
> InfoExpress
>
>
> ****************************************************************
> TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com
>
> The VPN FAQ (under construction) is available at
> http://kubarb.phsx.ukans.edu/~tbird/FAQ.html
>
> We are currently experiencing "unsubscribe" difficulties.  If you
> wish to unsubscribe, please send a message containing the single line
> "unsubscribe vpn your-e-mail-address" to
owner-vpn at listserv.secnetgroup.com
>
> ****************************************************************
>

****************************************************************
TO POST A MESSAGE on this list, send it to vpn at listserv.secnetgroup.com

The VPN FAQ (under construction) is available at
http://kubarb.phsx.ukans.edu/~tbird/FAQ.html

We are currently experiencing "unsubscribe" difficulties.  If you
wish to unsubscribe, please send a message containing the single line
"unsubscribe vpn your-e-mail-address" to owner-vpn at listserv.secnetgroup.com

****************************************************************




More information about the VPN mailing list