[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Fw: IPSec vs. SSL

If you look at the wording "In addition" then SSL V3 could be a better
solution or even TLS rather than both SSL and IPSec. Encryption of
encrypted packets is not a good look. I agree that with SSL and tools such
as Dsniff the man in the middle is an issue. IPSec will fix this problem,
but then you start limiting the scalability of implementation.

Look at a server that needs to be accessible from 100 points accross an
open IP community. If you must run IPSec then you must run 100 Tunnels from
100 end points. This gets worse the more open that you want the secure
network, say all 100 need to talk securely to all of the connections, it
become n*n-1 tunnels and surely this is un-manageable from a business

SSL encrypts as it goes and at the application level or TLS at the
Transport level, hence there are no scalability issues here. (It is all a
Risk vs Business benefit statement.) Sure if the data MUST not be
accessible and it is highly confidential then IPSec maybe a good option,
but then why use SSL on top of that.

The other pitfall with IPSec that needs to be considered is the structure
of your environment and the addressing used internally. IPSec does not work
with NAT, however there are ways around this, but your security then does
not become end to end like SSL or TLS.

From: "Venkat RK Reddy" <vpothams@cisco.com>@lists.tislabs.com on
      18/12/2000 16:19 PST

Sent by:  owner-ipsec@lists.tislabs.com

To:   <ipsec@lists.tislabs.com>
Subject:  Fw: IPSec vs. SSL

IPSec's advantage over SSL: It has more  flexibility on choosing the
authentication mechanisms (like the PreSharedKey),  and therefore makes it
difficult for the attacker to do man in the middle.   SSL is based only on
public key and with tools (like dsniff2.3), its possible to  do man in the
middle breaking SSL.

SSL's advantage over IPSec: In SSL, the client and  the server exchage *
hash * over the "initial handshake" and therefore is  difficult for an
attacker to control (change the proposals that the client  has sent so that
the server chooses the proposals that attacker sends or  whatever) the main
mode "initial" handshake.

More discussion on this would be enlightening and  appreciated.

----- Original Message -----
From:  Tim Lee
To: ipsec@lists.tislabs.com
Sent: Saturday, December 16, 2000 5:30  PM
Subject: Re: IPSec vs. SSL

Are there any situations where it is useful to  have IPSec in addition to