Solved

VPN  and  SSL performance

Posted on 2008-10-02
10
443 Views
Last Modified: 2010-04-12
I have 3 options to allow user to access my web

1.  VPN IPSec  + http
2.  Get a SSL server for IIS and user access it using  https
3.  VPN SSL  

Which one has the best performance?  Any links for reference?





0
Comment
Question by:Torus
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 14

Expert Comment

by:Roachy1979
ID: 22624213
A slightly ambiguous question, but I'll do my best to answer generally....

From a security perspective, you would undoubtedly get better results out of a VPN protecting the webserver, as there is no "external" access to the server.  If you make the server visible to the outside world, there will always be *some* element of risk.....be that through script vulnerabilites or through issues with the server.  If the server can be seen from the outside world then potentially it's vulnerable.

IPSEC VPN's and SSL VPNs have their own merits though.....

see - http://netsecurity.about.com/cs/generalsecurity/a/aa111703.htm

0
 
LVL 2

Author Comment

by:Torus
ID: 22624280
I understand that. But now forget about the vulnerable first.  I just want to know which options are better performance for user to access the web server.

Actually the web server are put inside the firewall and just let the 443 port open in option 2.  Another is just to use VPN to allow user to connect to intranet and then just to use http..


Thanks

 



0
 
LVL 2

Author Comment

by:Torus
ID: 22624302
That means  I just want to the performance, put aside the technology or pros and cons
0
 
LVL 76

Expert Comment

by:arnold
ID: 22625389
Here is a question that will answer yours.  Do you need to individually grant users access to the web site?
I.e. VPN requires an installtion of a client or configuration of IPSEC prior to access.  The issue you could run into is if the LOCAL LAN for the user is the same or overlaps your LAN.

https access to a web site is fastest. I.e. you tell the user the url and they can access it within seconds.

Setting up every user with a VPN for the sole purpose of accessing a web site, opens up your intranet way more then making the secure web server externally accessible.
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 22625621
Ok....it largely depends on the encryption algorithm used and strength of encryption on the VPN you anticipate using...

There are quite a few factors to look at in terms of performance.  SSL will have a higher web server processor load, but is overall faster at encryption, although if a lot of bandwidth is likely to be used, IPSEC supports compression.

Basically, assuming system resources and bandwidth are not a limiting factor, SSL would be faster for small sessions but IPSEC would be faster for long continuous sessions.
0
Complete Microsoft Windows PC® & Mac Backup

Backup and recovery solutions to protect all your PCs & Mac– on-premises or in remote locations. Acronis backs up entire PC or Mac with patented reliable disk imaging technology and you will be able to restore workstations to a new, dissimilar hardware in minutes.

 
LVL 4

Expert Comment

by:urgoll
ID: 22625987
Roachy1979, I need to disagree here, HTTPS and IPSec+HTTP are equivalent. Given your assumptions (no resources or bandwidth limitations). After the initial connection (IPSec VPN establishment, or SSL handshake), most of the performance load comes from the encryption algorithm. Both SSL and IPSec use the sames ones (3DES, AES, etc), so there is no performance gain with using one over the other.

Regarding compression: IIS can do on-the-fly HTTP compression, which will be more efficient than that of the IPSec compression, as IPSec does it per-packet, while IIS will do whole-stream compression, and thus gets to build a better compression dictionnary.

Since the assumption of 'resources are not a limiting factor' rarely hold, the use of a VPN appliance on the server side has the benefit of offload the encryption to a separate device.

However, your traffic will be in the clear between the VPN appliance and your IIS server. Depending on your security requirements, this may not be an option.

0
 
LVL 2

Author Comment

by:Torus
ID: 22631357
Is there any document or research article to discuss about this issue. i.e Https and IPSec + Http. if security or resource issues are not the main factor?
0
 
LVL 76

Expert Comment

by:arnold
ID: 22631541
VPN +http is usually done when an external user needs access to an Intranet resource in this case a web site.
Similarly with the VPN SSL.
Any consideration for a VPN deal with an internal resource to which an external user needs access.  However, if you have 10,000 users that needs access to the resource, it would be advisable to evaluate the content and setup and setup an externally accessible secure site via https.

The resources that would come into play is how you plan on administering/managing the access of 10,000 users if you go the VPN route (ipsec +http or VPN ssl)?
You would definately not go with all users having the same IPSEC/VPN policy since to distinguish among the users you would likely implement an Xauthh (secondary authentication which will prompt the user upon the establishment of the VPN tunnel for a set of credentials)  To handle the large number of users if it is 10,000, you would likely need to setup a Radius server or use IAS with AD tie in where you will manage these users.

The https route, once you give an individual the URL, they can access the site within seconds.  Whether an individual has access rights to specific sections of the site can be managed through the design of the site.

Returning to the question of which is better, it all depends on the nature of the http site intranet or not.

0
 
LVL 2

Author Comment

by:Torus
ID: 22633285
The system can be considered to put in inside or outside the DM Zone.  It is estimated that 500 users will use the system simultanously.  
0
 
LVL 76

Accepted Solution

by:
arnold earned 125 total points
ID: 22635307
If the consideration is how to permit 500 users access to an Internal web based application? This is where the resources involved in setting up a new application accessible via https and granting 500 users VPN access into the LAN so that they can use the internal application are somewhat balanced.

The IPSEC/VPN  question is will the VPN device handle 500 simulteneous VPN tunnels? What would be the cost of hardware that would be able to handle 500 if not more if you also use the device to grant employees VPN access.

IMHO, if you do not need these 500 users to have any other access to internal systems/applications, https will be more efficient in both performance and in resources.  With https you will also have a single, central location to manage access of users to the resources of the web site.  In the IPSEC/VPN you have two. The ipsec/vpn credentials and the web site credentials. i.e. if you want to revoke a user's creds, they need to be removed first and foremost from the ipsec/vpn.  I am willing to state that the web site creds would have many "inactive" user credentials hanging around.  This will happend because those credentials are useless if the user is no longer able to vpn via ipsec or ssl.  There will be a time when a question of how many users are using the system and the difference in the count between the ipsec/vpn and the web credentials will force an audit which might arise in a most inconvenient time.

Placing the intenet facing system in the DMZ is a good precaution to limit the exposure of the LAN should the system be compromised.


0

Featured Post

Highfive + Dolby Voice = No More Audio Complaints!

Poor audio quality is one of the top reasons people don’t use video conferencing. Get the crispest, clearest audio powered by Dolby Voice in every meeting. Highfive and Dolby Voice deliver the best video conferencing and audio experience for every meeting and every room.

Join & Write a Comment

Secure VPN Connection terminated locally by the Client.  Reason 442: Failed to enable Virtual Adapter. If you receive this error on Windows 8 or Windows 8.1 while trying to connect with the Cisco VPN Client then the solution is a simple registry f…
Envision that you are chipping away at another e-business site with a team of pundit developers and designers. Everything seems, by all accounts, to be going easily.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

21 Experts available now in Live!

Get 1:1 Help Now