I came across the post below earlier today, and wanted to open conversation to discuss in more detail the security and vulnerabilities between SSL and IPsec VPN.
Why is SSL VPN more vulnerable to attack?
What about IPsec causes it to be more robust?
Do any of the reasons above cause you to lean one way vs another?
If SSL VPN is really that much more prone to issues, why do I see many larger/major companies using it for user/client access to their sites?
The SSLVPN has a lot of custom features not possible in the IPsec vpn. The more code, the greater chance for bugs. It’s a design decision to use the features the SSLVPN provides. Those features seem to be very useful, so the SSLVPN is popular.
SSL Is typically on a more popular port (443) and is pretty well known to hackers making it a easy and popular attack vector.
Ipsec typically has several different proposals on both phase 1 and phase 2, the proposals can be customized per phase. Ipsec still operates on a fairly well known port but not as popular as 443 these days.
All that being said there are many ways to secure SSL VPN that will still allow me to recommend and use it as a popular method of remote access (client) RA VPN.
This really depends on the design, SSL Is typically used for RA VPN and is much easier for every day users to understand. They literally connect and login. no proposals (apprent to them) have to be configured on the client side. And there traffic is still encrypted. IPsec, not sure if you remember, use to be used for RA VPN, however the VPN clients on the user machine typically had to be configured my a network guy (there aren’t many of us compared to every day users) or some sort of configuration file had to be shared with the user in order for them to connect and login for thier traffic to be encrypted. These days IPsec is typically used for site to site VPNs as typically network guys will have to touch these devices anyway.
- SSLVPN is generally easier for admins to setup and maintain. One of the biggest benefits is there is generally zero client setup that needs to be done like there is/was with IPSEC clients. People can install the client, put in the URL, and login.
- SSLVPN uses the same ports as regular web traffic, so it’s unlikely to be blocked in hotels and other public networks. It’s just going to work in more places.
- Debatable if it’s more vulnerable to attack, but you’re running public web server that you need to make sure you’re staying on top of updates. It doesn’t matter the vendor, all of them have had web server and/or authentication vulnerabilities. An org could just as easily throw up some IPSEC setup that’s using completely old/broken encryption because it’s more complicated and they probably don’t fully understand it all.
I think ipsec has less vulnerability found as it as less features, but as long as you keep your code up-to date on your firewalls you should be fine using SSLVPN. We use SSL VPN just because we do business with a lot of schools and they usually block ipsec ports outbound so VPN will not work.
I prefer ipsec as it is simple and faster, but either is a good option.
SSL VPN is more vulnerable in a *general* sense. It doesn’t mean that every SSL VPN implementation is less robust than every IPSec VPN implementation.
In my experience, the differences are negligible when leveraging a vendor like Fortinet that provides both.
SSL VPN is much easier to configure, and (most importantly) is easier to connect to when people are in hotels and random places that might have restrictive network policies. This is probably the biggest selling point.
SSL VPN is also more flexible, and if you are using a lot of web based apps, and don’t need to give your users full tunneling capabilities, then SSL VPN is easier to support.
If you are supporting 5 or 6 people, then either option is fine. More than that, and the ease of SSL VPN facilitates more connections.
If SSL VPNs were truly insecure, then it would be easier to push back on their usage, but that’s not the case.
Thanks for the feedback. Lets say you set both up (SSL and IPsec) as per best practice (MFA, certs when available, encryption standards, whitelisted firewall rules), is there a place where there are documented leaks and hacks that lean one way vs another?
I know why SSL VPN is popular. I am trying to talk about the reasons why your deployment is one vs the other, and what factors weighed in that decision.
Yes, and currently, that will always be the case because of the differences between how SSL and IPSec work on not only the OSI layer differences, but also because of how the packets are transferred/how the hardware handles the traffic.
This is very true. I don’t know if you looked at the phase1/2 setups for the native windows client wizard. 3DES-sha1 and aes256-md5 modes of encryption, no PFS. Makes you think twice sometimes
No that I’m aware. Security wise I don’t think that 1 is better over the other. I would say that’s more of a design preference. IPsec is definitely more administrative Over as a SSL, But I wouldn’t say that makes it “better” In fact I think a lot of the newer Security integrations are going into SSL VPN. At the end of the day both accomplish the same task. There are CVE’s That you can keep up with, That are documented vulnerabilities, they are normally specific per vendor.