Are there any reasons for using SSL over IPSec?

There are different layers of secure transport to consider here:

  • VPNs
    • SSL VPN (including tunnels)
    • IPSec VPN
  • SSL/TLS for individual services

IPSec vs SSL VPNs

Both SSL and IPSec VPNs are good options, both with considerable security pedigree, although they may suit different applications.

IPsec VPNs operate at layer 3 (network), and in a typical deployment give full access to the local network (although access can be locked down via firewalls and some VPN servers support ACLs). This solution is therefore better suited to situations where you want remote clients to behave as if they were locally attached to the network, and is particularly good for site-to-site VPNs. IPSec VPNs also tend to require specific software supplied by the vendor, which is harder to maintain on end-user devices, and restricts usage of the VPN to managed devices.

SSL VPNs are often cited as being the preferred choice for remote access. They operate on layers 5 and 6, and in a typical deployment grant access to specific services based on the user's role, the most convenient of which are browser-based applications. It is usually easier to configure an SSL VPN with more granular control over access permissions, which can provide a more secure environment for remote access in some cases. Furthermore, SSL/TLS is inherently supported by modern devices, and can usually be deployed without the need for specialist client-side software, or with lightweight browser-based clients otherwise. These lightweight clients can often also run local checks to ensure that connecting machines meet certain requirements before they are granted access - a feature that would be much harder to achieve with IPSec.

In both cases one can be configured to achieve similar things as the other - SSL VPNs can be used to simply create a tunnel with full network access, and IPSec VPNs can be locked-down to specific services - however it is widely agreed that they are better suited to the above scenarios.

However, for exactly these reasons, many organisations will use a combination of both; often an IPSec VPN for site-to-site connections and SSL for remote access.

There are a number of references on the subject of SSL vs IPSec (some of these are directly from vendors):

  • https://supportforums.cisco.com/document/113896/quick-overview-ipsec-and-ssl-vpn-technologies
  • http://netsecurity.about.com/cs/generalsecurity/a/aa111703.htm
  • http://www.sonicwall.com/downloads/EB_Why_Switch_from_IPSec_to_SSL_VPN.pdf
  • http://searchsecurity.techtarget.com/feature/Tunnel-vision-Choosing-a-VPN-SSL-VPN-vs-IPSec-VPN
  • http://www.networkworld.com/article/2287584/lan-wan/ipsec-vs--ssl-vpns.html

End-to-End Encryption

In some of the above cases, such as IPSec VPNs and SSL VPN tunnels, you may not be getting end-to-end encryption with the actual service you're using. This is where using an additional layer of SSL/TLS comes in handy.

Say you're remote and trying to connect to an internally hosted web application via an IPSec VPN. If you use the HTTP protocol via your browser, your traffic is encrypted whilst it is running through the VPN tunnel itself, but it is then decrypted when it hits the remote VPN endpoint, and travels over the internal network in cleartext. This might be acceptable in some use cases, but in the interest of defence in depth, we ideally want to know that our data cannot be intercepted anywhere between you and the actual service itself. By connecting to this application over HTTPS, you effectively have two layers of security: one between you and the VPN endpoint, and another travelling through that (between you and the web server itself).

Of course, this is not limited to HTTPS - you should equally employ other secure protocols like SSH, FTPS, SMTP with STARTTLS etc etc.


Here's a good article from cisco on IPSEC and SSL. It includes strengths and weaknesses as well as an overview of each, and also implementing both of them together.


It depends you may have corporate VPN Tunnel (that works on IPSEC) but a layer above the internal web server you are reaching over VPN in the corporate network might be HTTPS( which is via SSL)

Long back i did a talk on this

http://www.slideshare.net/sashankdvk/matrix-2768826

Tags:

Ipsec

Tls