[BNM] VPN vs SSL security

Alan Braddish alan at webspoke.co.uk
Fri May 19 16:32:23 BST 2006 

Dave,

Thanks for your detailed reply.  I do understand it's not a simple matter.
The data would be highly sensitive, so the maximum level of security whilst
in transmission over the internet would be required.  That's why I thought
implementing a VPN solution would be best as opposed to having a "public"
website that could easily be attacked.  If using a VPN, it would be IPSec,
sorry I wasn't clearer earlier.

Thanks.
Alan


-----Original Message-----
From: Dave Phelan [mailto:dave.phelan at gmail.com] 
Sent: 19 May 2006 16:23
To: Brighton New Media
Subject: Re: [BNM] VPN vs SSL security

On 5/19/06, Alan Braddish <alan at webspoke.co.uk> wrote:
> Does anyone have any insights as to which is more secure:

Define 'secure'
No. seriously - are you sending multimillion quid transactions over
this, is it stock-trading, or personal info about kids, or credit card
details, or details of your terrorist cell, or micropayments? All have
different requirements to be 'secure'.

> An intranet web site accessed via a Windows-style VPN, or a public web
site
> accessible across SSL (password-protected)?

Windows VPN? Do you mean IPsec, or are you talking about PPTP? IPsec
is generally well-implemented and provides a reasonable level of
security for most business needs when used with triple DES (3DES) or
AES encryption.

PPTP has a huge man-in-the-middle flaw in it, related the LANMAN hashes:
http://www.schneier.com/pptp-faq.html

> Obviously the VPN is better for general security, but I was more concerned
> about the differences in encryption methods/strengths between the 2
> techniques.  Is there a huge difference?

That depends.

SSL typically uses RC4 cyphers, but is specified for all sorts of cypher:
http://docs.sun.com/source/816-6156-10/contents.htm#1046261

IPsec can be used to encrypt the packet payload, or to merely
authenticate the sender. You probably want encryption (ESP:
http://en.wikipedia.org/wiki/Ipsec#Encapsulated_Security_Payload_.28ESP.29)
which realistically means 3DES or AES.

> Any advice?

How much would the loss/corruption/dessemination of your data cost
you? That should inform how much you spend on securing it (either in
effort, money, or some reasonable combination of the two).

Sorry, there shouldn't be a simple answer to this.

Dave Ph
-- 
 Dave Phelan CCIE#3590   ICQ: 50180416    GSM: +44 (0)7776 168561
 dave.phelan at gmail.com                  http://www.davephelan.org
 "I think rock 'n' roll and science fiction were in a
 very real sense all the culture I had."    -- William Gibson.

-- 

BNM info/subscription/archives: http://www.brightonnewmedia.org/

BNM archive search: http://www.roddis.org/bnm/search.php
BNM Del.icio.us tag: http://del.icio.us/tag/bnm/
BNM Flickr group: http://www.flickr.com/groups/bnm/

BNM powered by http://www.screen-play.net/

More information about the BNMList mailing list
BNMList is hosted by Screenlists, a Screen-Play.net service