Solved

Question regarding IPSEC , SSLVPN and HTTPS

Posted on 2009-04-02
3
543 Views
Last Modified: 2013-11-21
Dears ,
i would liek to know the difference between IPSEC , SSLVPN and HTTPS ,
And for which scneario we wouild use IPSEC , SSLVPN or HTTPS
and a brief history behind each technology and which came first ....


thanks in advance,
0
Comment
Question by:sfda_soc
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 31

Accepted Solution

by:
Paranormastic earned 500 total points
ID: 24062544
This is a bit too encompassing for one question - 3 questions for 3 topics each...

I would suggest wikipedia for the history and more detail:
http://en.wikipedia.org/wiki/IPsec
http://en.wikipedia.org/wiki/SSL_VPN
http://en.wikipedia.org/wiki/Https

For SSL in general:
http://en.wikipedia.org/wiki/Secure_Sockets_Layer

Briefly tho...
IPSec - commonly used for encrypting tunnels such as L2TP, where all of the traffic is encapsulated within the encrypted tunnel.  This is used for encryption at layer 3 of the OSI model, although typically used in conjunction with L2TP which operates at layer 2 (hence its name Layer 2 Tunneling Protocol).
reference L2TP: http://en.wikipedia.org/wiki/L2TP

SSL VPN - Allows for a secured VPN session so that a remote user may access the internal LAN over a secured session.  Although the VPN server may also be authenticated, the focus is more on the user authentication here prior to negotiating the encrypted session.  Operates at layer 4 of OSI.

HTTPS - SSL (or TLS, the name of the standard that was based on SSL v3 and is practically identical to SSLv3 aside from its name) sessions for normal HTTP traffic used to create an encrypted session for web users.  Here the focus is for the user to be able to validate the authenticity of the server that they are providing sensitive information to, such as banking/credit card info/passwords/etc. and upon establishing that trust of the server the user may supply sensitive information across the secure encrypted session.  Operates at layer 4 of OSI.

VPN and HTTP both typically use a standard web server certificate issued from any trusted certification authority (CA).  This will assert the "Server Authentication"  enhanced key usage (EKU) and "Digital Signature" key usage (KU).

However IPSec does not use a standard SSL certificate and is often issued from an internally operated CA or a partner company's CA, although there are some commercial vendors available.  It will assert the "IP security IKE intermediate" EKU and "Digital Signature" KU.

Hopefully that does the trick for you.  The 'which came first' thing is a bit elusive.  Certificates have been around for many decades now, wiki says SSL 2.0 came out in early 1995 but that doesn't mean that the other technologies utilized it right away.

From my own recollection on usage:
HTTPS was used pretty quickly and many users knew to look for 'the gold lock' by the time windows 98 released.

IPSec was a new feature to Windows 2000.  It may have been in use in other server OS like UNIX prior to that, but that would be the major exposure to the concept.  I still don't think this one has really 'taken off' yet..

SSL VPN - VPN has been around for a number of years now and the ability to secure it is natural.  Initially this would have been done using password authentication with data passed in the clear, but security fobs started to emerge near the end of the 90's, and have grown significantly in usage every year since where now they are somewhat common at many companies.

As the technology for each came out around the same time (1995), the best I can do right now would be if I were to order them based on adoption I would say HTTPS (@1996-97), SSL VPN (@1998), IPSec (@2000).
0
 

Author Comment

by:sfda_soc
ID: 24066871
what about where to use each technology ?
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 24077895
What the first thing after each listing above...
ipsec - used primarily for the encryption part of L2TP tunnels (also used somehow in IPv6)
SSL VPN - securing VPN solutions
HTTPS - primarily used for securing web pages, also occasionally for other things like securing FTP (FTPS)
0

Featured Post

How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

With the withdrawal of support for Windows Server 2003 this summer, many clients face the issue of moving away from their 2003 installs. There are a few options out there that many people/companies are selling. But the clients I have, haven't wanted…
Outsource Your Fax Infrastructure to the Cloud (And come out looking like an IT Hero!) Relative to the many demands on today’s IT teams, spending capital, time and resources to maintain physical fax servers and infrastructure is not a high priority.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Internet Business Fax to Email Made Easy - With  eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, f…

710 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question