SSL versus IPsec: some considerations

Posted: July 24, 2008 in 64-Bit, Posts

We asked NCP’s Joerg Hirschmann to take look at the arguments presented in Reliable Systems’ recent post, “Remote Access for Everyone,” and offer some respectful criticism of the case made for SSL versus IPsec. Quotations below are from the original article, with Joerg’s comments following.

Installation:

The success rate for an average user being able to install an IPSec client and get the VPN tunnels to work, even with phone support, was around 15%. Most of the time the user had to bring in the computer or we had to send a tech on site.

Management based native VPN installations are pre-configured by central administration. Configurations will be created automatically using a leading internal database like Active Directory. Users do not encounter configuration issues at all! They cannot even change VPN related settings. Pre-installed basic settings, getting personalized at first connection = Plug & Play VPN.

Compatibility:

Different physical network technologies – notably DSL – run into performance problems with IPSec in many configurations, requiring adjustments on the client, routers, or other things that you just can’t expect end users to understand.

A communication suite deals not only with the VPN part but also takes care of connecting the client safely and with the highest possible performance with the internet with only one goal: establish the VPN tunnel. The user does not even need to know the communication media; the client will select it automatically.
In general SSL VPN has much more performance issues than an IPsec based VPN which is primarily based on the protocol in use.

Portability:

IPSec is very easy to block on a network. In fact, it took some time for most network routers to be compatible with IPSec. Now try to get it to work at 8 PM over a wireless network in a hotel in Buffalo.

For this reason the client must be able to provide alternative tunneling protocols. If IPsec is blocked it must be able to use SSL tunneling as well.

SSL is Simple, IPSec is complicated:

SSL is a single TCP/IP socket with a relatively straightforward, self-configuring, and invisible to intervening appliances.

IPsec is as complicated as the solution installed. It can be as easy as SSL and offers advantages on protocol level as it is UDP and not TCP based (much more overhead with TCP!).

SSL is essential, IPSec is a threat:

No one can afford to block SSL on their network without basically admitting to not having a network at all. It’s very expensive to proxy by decrypting and re-encrypting, so few companies do it. On the other hand, many networks view with suspicion the goal of establishing an encrypted connection out of their network, so blocking IPSec may sound like a good idea

SSL is encrypted as well, so where is the advantage if you do not want to introduce those “very expensive to proxy by decrypting and re-encrypting” servers? This message is very contradictory. However, a VPN client must be able to provide a solution for those blocking networks and then switch to SSL based tunneling. In non-blocking networks IPsec is to be preferred as far less bandwidth consuming.

Comments
  1. […] public links >> ipsec SSL versus IPsec: some considerations Saved by ghritter on Mon 06-10-2008 The joys of inter-vendor IPsec VPN deployments Saved by […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s