Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 574
  • Last Modified:

Question regarding IPSEC , SSLVPN and HTTPS

Dears ,
i would liek to know the difference between IPSEC , SSLVPN and HTTPS ,
And for which scneario we wouild use IPSEC , SSLVPN or HTTPS
and a brief history behind each technology and which came first ....


thanks in advance,
0
sfda_soc
Asked:
sfda_soc
  • 2
1 Solution
 
ParanormasticCryptographic EngineerCommented:
This is a bit too encompassing for one question - 3 questions for 3 topics each...

I would suggest wikipedia for the history and more detail:
http://en.wikipedia.org/wiki/IPsec
http://en.wikipedia.org/wiki/SSL_VPN
http://en.wikipedia.org/wiki/Https

For SSL in general:
http://en.wikipedia.org/wiki/Secure_Sockets_Layer

Briefly tho...
IPSec - commonly used for encrypting tunnels such as L2TP, where all of the traffic is encapsulated within the encrypted tunnel.  This is used for encryption at layer 3 of the OSI model, although typically used in conjunction with L2TP which operates at layer 2 (hence its name Layer 2 Tunneling Protocol).
reference L2TP: http://en.wikipedia.org/wiki/L2TP

SSL VPN - Allows for a secured VPN session so that a remote user may access the internal LAN over a secured session.  Although the VPN server may also be authenticated, the focus is more on the user authentication here prior to negotiating the encrypted session.  Operates at layer 4 of OSI.

HTTPS - SSL (or TLS, the name of the standard that was based on SSL v3 and is practically identical to SSLv3 aside from its name) sessions for normal HTTP traffic used to create an encrypted session for web users.  Here the focus is for the user to be able to validate the authenticity of the server that they are providing sensitive information to, such as banking/credit card info/passwords/etc. and upon establishing that trust of the server the user may supply sensitive information across the secure encrypted session.  Operates at layer 4 of OSI.

VPN and HTTP both typically use a standard web server certificate issued from any trusted certification authority (CA).  This will assert the "Server Authentication"  enhanced key usage (EKU) and "Digital Signature" key usage (KU).

However IPSec does not use a standard SSL certificate and is often issued from an internally operated CA or a partner company's CA, although there are some commercial vendors available.  It will assert the "IP security IKE intermediate" EKU and "Digital Signature" KU.

Hopefully that does the trick for you.  The 'which came first' thing is a bit elusive.  Certificates have been around for many decades now, wiki says SSL 2.0 came out in early 1995 but that doesn't mean that the other technologies utilized it right away.

From my own recollection on usage:
HTTPS was used pretty quickly and many users knew to look for 'the gold lock' by the time windows 98 released.

IPSec was a new feature to Windows 2000.  It may have been in use in other server OS like UNIX prior to that, but that would be the major exposure to the concept.  I still don't think this one has really 'taken off' yet..

SSL VPN - VPN has been around for a number of years now and the ability to secure it is natural.  Initially this would have been done using password authentication with data passed in the clear, but security fobs started to emerge near the end of the 90's, and have grown significantly in usage every year since where now they are somewhat common at many companies.

As the technology for each came out around the same time (1995), the best I can do right now would be if I were to order them based on adoption I would say HTTPS (@1996-97), SSL VPN (@1998), IPSec (@2000).
0
 
sfda_socAuthor Commented:
what about where to use each technology ?
0
 
ParanormasticCryptographic EngineerCommented:
What the first thing after each listing above...
ipsec - used primarily for the encryption part of L2TP tunnels (also used somehow in IPv6)
SSL VPN - securing VPN solutions
HTTPS - primarily used for securing web pages, also occasionally for other things like securing FTP (FTPS)
0

Featured Post

[Webinar] Cloud and Mobile-First Strategy

Maybe you’ve fully adopted the cloud since the beginning. Or maybe you started with on-prem resources but are pursuing a “cloud and mobile first” strategy. Getting to that end state has its challenges. Discover how to build out a 100% cloud and mobile IT strategy in this webinar.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now