Re: SSL v IPSEC for management?

[marcvh@aventail.com (Marc VanHeyningen)]

Steven Lee said:
> There are some trade-offs in using the SSL; however, one of the top
> issue would be that a client cannot authenticate the server.  Therfore,
> a server could someone pretending to be a trusted party and there is no
> way for the client to authenticate this information.

What?  That's not true at all; it's just as possible for an SSL client to
verify the server's certificate information as it is for a client of any
other public-key based security protocol.  Regarding the other discussion,
in SSL (and HTTPS, which is HTTP inside SSL/TLS) authentication of the client
to the server is generally available as an optional service, while
authentication of the server to the client is generally mandatory.

Re the original poster, no, SSL is not known to be vulnerable to replay
attacks.  Which one is more suited to your purpose is hard to say from
the information you give; SSL is at a higher level, can easily be entirely
contained within an application instead of requiring network stack issues,
can't protect UDP data, may be more vulnerable to denial-of-service attacks,
is probably more vulnerable to traffic analysis, etc. relative to IPSEC.
You'll have to decide which of these things are important to you.

I don't understand how SSL per se is vunlerable to things like relay
attacks or address-spoofing attacks, although a poorly designed application
that used SSL could have such weaknesses.

- Marc

-- 
Marc VanHeyningen                 marcvh@aventail.com
Internet Security Architect
Aventail                          http://www.aventail.com/

---

References:

• RE: SSL v IPSEC for management?
• From: Steven Lee <slee@cygnacom.com>

---

• Prev by Date: m-to-m multicast and SAs
• Next by Date: RE: SSL v IPSEC for management?
• Prev by thread: RE: SSL v IPSEC for management?
• Next by thread: RE: SSL v IPSEC for management?
• Index(es):
  • Main
  • Thread