4. The Problem The wire protocol guys don't worry about security because that's really a network protocol problem. The network protocol guys don't worry about it because, really it's an application problem. The application guys don't worry about it because, after all, they can just use the IP address and trust the network. Marcus Ranum ( first commercial firewall inventor !)
Authentication : The verification of the identity of a person or process. Authorization : The process of granting or denying access to a network resource. Non-Repudiation : Proves communications took place so that the sender (or receiver) cannot refute sending (or receiving) information. Confidentiality : means the property that data or information is not made available or disclosed to unauthorized persons or processes. Integrity : means the property that data or information have not been altered or destroyed in an unauthorized manner.
SSL Philosophy : It is easier to deploy something if you don't have to change the Operating System , modifying an application to work on top of SSL requires minimal changes IP Sec Philosophy : Implementing Security within the operating system automatically causes all applications to be protected without the applications to be modified
Basic Protocols Handshake protocol Uses public-key cryptography to establish a shared secret key between the client and the server Record protocol Uses the secret key established in the handshake protocol to protect communication between the client and the server
Speaker Should mention some details of X.509 Certificates.
SSL drills down better to specific applications and services. This is made possible because SSL VPNs reside on top of TCP/User Datagram Protocol (UDP) transports, allowing SSL VPNs to travel through network translation address (NAT) devices as well as stateful inspection and proxy-based firewalls. It does not require complex or intrusive clients, i.e., installation of software on end-user computers, which means easier installation, maintenance, and higher cost-savings. For this reason, SSL VPNs are better for smaller budgets.
It is less secure because it enables transparent negotiation of encryption algorithms and key materials, defaulting to smaller, weaker keys if a higher key security level cannot be supported in client/server communications. Administrators can add support for non-Web based applications, but this requires custom development, including extensive upgrades, patches, SSL gateways, and other add-ons, which tend to be costly and difficult to implement.
This can be accomplished by arranging the devices in a particular order, or by using an IP Sec gateway that also performs NAT. For example, the gateway can perform NAT first and then IP Sec for outbound packets. An IKE enhancement known as IPSec NAT -T allows IKE to negotiate the use of UDP encapsulation
Choosing between an IPSec and SSL VPN is not a matter of one being better than the other, as each has myriad benefits and drawbacks depending on an organization's needs. A careful evaluation, based on the factors mentioned previously, is a necessity for any organization looking to bolster secure, remote connectivity through the use of a VPN.
The above graph is taken from the bench marking results done by us . Two machines running FC3 are chosen and both the systems were running randomly applications and the network traffic was also moderate . SSL was configured with only Server Authentication . IP Sec was configured with IKE and Certificates Both the set of values were taken individually
Rarely is anything black or white. Life and logic are filled with shades of gray, trade-offs and compromises, advantages with constraints, and richness counterbalanced with cost. This immutable reality touches virtually every choice and issue in life. A Secure Solution is no exception
Choosing between an IP Sec and SSL is not a matter of one being better than the other, as each has myriad benefits and drawbacks depending on an organization's needs.
The above graph is taken from the bench marking results done by us . Two machines running FC3 are chosen and both the systems were running randomly applications and the network traffic was also moderate . SSL was configured with only Server Authentication . IP Sec was configured with IKE and Certificates Both the set of values were taken individually