Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

VPN  and  SSL performance

Posted on 2008-10-02
10
Medium Priority
?
451 Views
Last Modified: 2010-04-12
I have 3 options to allow user to access my web

1.  VPN IPSec  + http
2.  Get a SSL server for IIS and user access it using  https
3.  VPN SSL  

Which one has the best performance?  Any links for reference?





0
Comment
Question by:Torus
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
  • +1
10 Comments
 
LVL 14

Expert Comment

by:Roachy1979
ID: 22624213
A slightly ambiguous question, but I'll do my best to answer generally....

From a security perspective, you would undoubtedly get better results out of a VPN protecting the webserver, as there is no "external" access to the server.  If you make the server visible to the outside world, there will always be *some* element of risk.....be that through script vulnerabilites or through issues with the server.  If the server can be seen from the outside world then potentially it's vulnerable.

IPSEC VPN's and SSL VPNs have their own merits though.....

see - http://netsecurity.about.com/cs/generalsecurity/a/aa111703.htm

0
 
LVL 2

Author Comment

by:Torus
ID: 22624280
I understand that. But now forget about the vulnerable first.  I just want to know which options are better performance for user to access the web server.

Actually the web server are put inside the firewall and just let the 443 port open in option 2.  Another is just to use VPN to allow user to connect to intranet and then just to use http..


Thanks

 



0
 
LVL 2

Author Comment

by:Torus
ID: 22624302
That means  I just want to the performance, put aside the technology or pros and cons
0
Free Backup Tool for VMware and Hyper-V

Restore full virtual machine or individual guest files from 19 common file systems directly from the backup file. Schedule VM backups with PowerShell scripts. Set desired time, lean back and let the script to notify you via email upon completion.  

 
LVL 80

Expert Comment

by:arnold
ID: 22625389
Here is a question that will answer yours.  Do you need to individually grant users access to the web site?
I.e. VPN requires an installtion of a client or configuration of IPSEC prior to access.  The issue you could run into is if the LOCAL LAN for the user is the same or overlaps your LAN.

https access to a web site is fastest. I.e. you tell the user the url and they can access it within seconds.

Setting up every user with a VPN for the sole purpose of accessing a web site, opens up your intranet way more then making the secure web server externally accessible.
0
 
LVL 14

Expert Comment

by:Roachy1979
ID: 22625621
Ok....it largely depends on the encryption algorithm used and strength of encryption on the VPN you anticipate using...

There are quite a few factors to look at in terms of performance.  SSL will have a higher web server processor load, but is overall faster at encryption, although if a lot of bandwidth is likely to be used, IPSEC supports compression.

Basically, assuming system resources and bandwidth are not a limiting factor, SSL would be faster for small sessions but IPSEC would be faster for long continuous sessions.
0
 
LVL 4

Expert Comment

by:urgoll
ID: 22625987
Roachy1979, I need to disagree here, HTTPS and IPSec+HTTP are equivalent. Given your assumptions (no resources or bandwidth limitations). After the initial connection (IPSec VPN establishment, or SSL handshake), most of the performance load comes from the encryption algorithm. Both SSL and IPSec use the sames ones (3DES, AES, etc), so there is no performance gain with using one over the other.

Regarding compression: IIS can do on-the-fly HTTP compression, which will be more efficient than that of the IPSec compression, as IPSec does it per-packet, while IIS will do whole-stream compression, and thus gets to build a better compression dictionnary.

Since the assumption of 'resources are not a limiting factor' rarely hold, the use of a VPN appliance on the server side has the benefit of offload the encryption to a separate device.

However, your traffic will be in the clear between the VPN appliance and your IIS server. Depending on your security requirements, this may not be an option.

0
 
LVL 2

Author Comment

by:Torus
ID: 22631357
Is there any document or research article to discuss about this issue. i.e Https and IPSec + Http. if security or resource issues are not the main factor?
0
 
LVL 80

Expert Comment

by:arnold
ID: 22631541
VPN +http is usually done when an external user needs access to an Intranet resource in this case a web site.
Similarly with the VPN SSL.
Any consideration for a VPN deal with an internal resource to which an external user needs access.  However, if you have 10,000 users that needs access to the resource, it would be advisable to evaluate the content and setup and setup an externally accessible secure site via https.

The resources that would come into play is how you plan on administering/managing the access of 10,000 users if you go the VPN route (ipsec +http or VPN ssl)?
You would definately not go with all users having the same IPSEC/VPN policy since to distinguish among the users you would likely implement an Xauthh (secondary authentication which will prompt the user upon the establishment of the VPN tunnel for a set of credentials)  To handle the large number of users if it is 10,000, you would likely need to setup a Radius server or use IAS with AD tie in where you will manage these users.

The https route, once you give an individual the URL, they can access the site within seconds.  Whether an individual has access rights to specific sections of the site can be managed through the design of the site.

Returning to the question of which is better, it all depends on the nature of the http site intranet or not.

0
 
LVL 2

Author Comment

by:Torus
ID: 22633285
The system can be considered to put in inside or outside the DM Zone.  It is estimated that 500 users will use the system simultanously.  
0
 
LVL 80

Accepted Solution

by:
arnold earned 375 total points
ID: 22635307
If the consideration is how to permit 500 users access to an Internal web based application? This is where the resources involved in setting up a new application accessible via https and granting 500 users VPN access into the LAN so that they can use the internal application are somewhat balanced.

The IPSEC/VPN  question is will the VPN device handle 500 simulteneous VPN tunnels? What would be the cost of hardware that would be able to handle 500 if not more if you also use the device to grant employees VPN access.

IMHO, if you do not need these 500 users to have any other access to internal systems/applications, https will be more efficient in both performance and in resources.  With https you will also have a single, central location to manage access of users to the resources of the web site.  In the IPSEC/VPN you have two. The ipsec/vpn credentials and the web site credentials. i.e. if you want to revoke a user's creds, they need to be removed first and foremost from the ipsec/vpn.  I am willing to state that the web site creds would have many "inactive" user credentials hanging around.  This will happend because those credentials are useless if the user is no longer able to vpn via ipsec or ssl.  There will be a time when a question of how many users are using the system and the difference in the count between the ipsec/vpn and the web credentials will force an audit which might arise in a most inconvenient time.

Placing the intenet facing system in the DMZ is a good precaution to limit the exposure of the LAN should the system be compromised.


0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are a web developer, you would be aware of the <iframe> tag in HTML. The <iframe> stands for inline frame and is used to embed another document within the current HTML document. The embedded document could be even another website.
If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

604 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question