[VPN] VPN or SSL?

shannong shannong at texas.net
Sun Dec 1 10:30:51 EST 2002 

The 128-bit encryption level of SSL is sufficient in my opinion for data
encryption in most cases.  Although, IPSec provides better data
authenticity services than SSL.  The problem I have with SSL access to
web sites is that the entire Internet will have access to your web
server.  Obviously, hacking into a web server is a trivial thing these
days.  While SSL may provide encryption of your username/password logins
and application data, your security problem will be that a server with
access to privileged data will be an open target to the Internet.   

In this scenario, VPNs are better in that a user is authenticated at the
ingress point of the network by a device that has few services to
exploit. (firewall, VPN concentrator, etc).  This means the Internet
never gains access to your web server, only validated users.

Of course, the VPN solution will provide support for your apps that
don't have SSL capability either.

SSL accelerator cards simply terminate the users' SSL session in front
of the web server, and then pass the session along as clear text to the
target web server.  This means the server doesn't have to use up its CPU
doing encryption.  One thing you may want to consider is an SSL
acclerator that authenticates the user and then not allow any HTTP
access to the app servers.  This means that the accelator would be
authenticating users at ingress when starting the SSL session.  In this
way, the Internet at large wouldn't have access to your web servers--
only users already authenticated over SSL.

-Shannon

-----Original Message-----
From: vpn-admin at lists.shmoo.com [mailto:vpn-admin at lists.shmoo.com] On
Behalf Of James McLintic
Sent: Thursday, November 28, 2002 12:49 PM
To: vpn at lists.shmoo.com
Subject: [VPN] VPN or SSL?



Hi All,

Can anyone point me in the right direction please?  I'm designing a new
technical infrastructure for a HR managed services organisation and I'm
not sure whether to use VPN or SSL.  Essentially my client (customer in
this
case) will provide web-enabled self-service HR applications delivered
over the Internet to their customers who are medium sized organisations.
These customer organisations are assumed to have high speed internet
access.  Now there maybe a need for a few users to use a Win32 app, (SAP
GUI) - hence the possible requirement for a VPN.  The problem as I see
it with a VPN in this case is the headache of managing multiple VPNs to
different customer organisations - the box at either end in most cases
will need to match and customers may have their own VPN box already.
That sounds like something best to avoid!  So what about SSL - well it
sounds good in that we can select which content is encrypted and which
isn't but is there a speed issue with SSL?  I know of SSL Accelerator
cards which take the load off the servers encryption process but will it
adversly affect the user's experience - ie will it be significantly
slower than plain http? We will need some form of encryption/security
for certain parts of the HR portal but more importantly we need to make
the customer organisations feel confident that their data is secure -
VPNs may give them more comfort than SSL I think.

What does anyone else think?

_______________________________________________
VPN mailing list
VPN at lists.shmoo.com
http://lists.shmoo.com/mailman/listinfo/vpn

More information about the VPN mailing list