69

I would like to design a client-server application where the server is placed on Internet. I assume that I could set up the client-server connection using VPN (is it using IPSec?) or using a SSL connection (possibly https). What are the differences between VPN/IPsec and SSL/https for securing a client server connection over Internet?

AviD
  • 72,708
  • 22
  • 137
  • 218
Jonas
  • 5,163
  • 7
  • 33
  • 35
  • more insight on your intended client base and the nature of your application would help you get a better answer and help us avoid going off on unrelated tangents :) – nealmcb Jan 06 '11 at 17:16
  • 1
    How to pick a VPN Provider? http://security.stackexchange.com/questions/3973/how-do-i-pick-a-vpn-provider – claws Jan 03 '12 at 06:45
  • For clear understanding of VPN: watch this video http://www.youtube.com/watch?v=KFODy-dHcU8 – claws Jan 03 '12 at 06:46

8 Answers8

82

VPN means "Virtual Private Network". It is a generic concept which designates a part of a bigger network (e.g. the Internet at large) which is logically isolated from the bigger network through non-hardware means (that's what "virtual" means): it is not that we are using distinct cables and switches; rather, isolation is performed through use of cryptography.

SSL (now known as TLS) is a technology which takes a bidirectional transport medium and provides a secured bidirectional medium. It requires the underlying transport medium to be "mostly reliable" (when not attacked, data bytes are transferred in due order, with no loss and no repetition). SSL provides confidentiality, integrity (active alterations are reliably detected), and some authentication (usually server authentication, possibly mutual client-server authentication if using certificates on both sides).

So VPN and SSL are not from the same level. A VPN implementation requires some cryptography at some point. Some VPN implementations actually use SSL, resulting in a layered system: the VPN transfers IP packets (of the virtual network) by serializing them on a SSL connection, which itself uses TCP as a transport medium, which is built over IP packets (on the physical unprotected network). IPsec is another technology which is more deeply integrated in the packets, which suppresses some of those layers, and is thus a bit more efficient (less bandwidth overhead). On the other hand, IPsec must be managed quite deep within the operating system network code, while a SSL-based VPN only needs some way to hijack incoming and outgoing traffic; the rest can be down in user-level software.

As I understand your question, you have an application where some machines must communicate over the Internet. You have some security requirements, and are thinking about either using SSL (over TCP over IP) or possibly HTTPS (which is HTTP-over-SSL-over-TCP-over-IP), or setting up a VPN between client and server and using "plain" TCP in that private network (the point of the VPN is that is gives you a secure network where you need not worry anymore about confidentiality). With SSL, your connection code must be aware of the security; from a programming point of view, you do not open a SSL connection as if it was "just a socket". Some libraries make it relatively simple, but still, you must manage security at application level. A VPN, on the other hand, is configured at operating system level, so the security is not between your application on the client and your application on the server, but between the client operating system and the server operating system: that's not the same security model, although in many situations the difference turns out not to be relevant.

In practice, a VPN means that some configuration step is needed on the client operating system. It is quite invasive. Using two VPN-based applications on the same client may be problematic (security-wise, because the client then acts as a bridge which links together two VPN which should nominally be isolated from each other, and also in practice, because of collisions in address space). If the client is a customer, having him configure a VPN properly looks like an impossible task. However, a VPN means that applications need not be aware of security, so this makes it much easier to integrate third-party software within your application.

INV3NT3D
  • 3,977
  • 3
  • 14
  • 25
Thomas Pornin
  • 322,884
  • 58
  • 787
  • 955
  • 3
    To add to the above, given the fact that many applications do not properly implement SSL libraries, resulting in serious security compromises, it may be wise to consider using VPN to ensure you don't rely on each applications individual SSL implementation, rather on one that has been well audited (open-source VPN solutions like OpenVPN). – deed02392 Feb 22 '13 at 17:01
  • 3
    To clarify, SSL happens at layer 7 in the OSI model - every application has to have its own implementation. (most) VPNs operate at the network layer (3) which means that everything that happens at higher layers is at least not nakedly exposed to the Big Bad Internet. It does not mean they're secure, that assumption can be dangerous. – quadruplebucky Feb 17 '14 at 01:30
  • Unless Im wrong, from the practice point of view, one use VPN as a **private** network. Globally/Pratically, SSL is for public audience, VPN is aiming a private networking. *This is certainly too simplist. If it is, please dont blame, but explain.* – Strukt Aug 03 '15 at 12:09
  • 1
    @Strukt: you maintain the privacy of your home by closing the door. People, from the outside, see the surface of the closed door. – Thomas Pornin Aug 03 '15 at 12:15
  • @ThomasPornin yeah, it is *virtual* privacy. One sees the door, but does not know what's behind... SSL does the same, it is not door but pipes if you want. Brief, to me **SSL and VPN both encrypt traffic datas, but SSL allows anybody to get/post datas, while VPN deals datas only with the authorized clients.** Nope ? – Strukt Aug 03 '15 at 12:22
  • 3
    @Strukt: no. SSL is the door, VPN is the contents of the house. You don't get one _or_ the other; they are not to be opposed. SSL is a technology that ensures some security properties, which are a nice building block for a variety of usages, one of them being "a VPN". (I suppose that when you read "SSL" you think "Web site with `https://`, which is probably the source of the terminology confusion.) – Thomas Pornin Aug 03 '15 at 12:35
  • Thanks. That's why Im confusing. Thinking https. Btw I was sure that VPN encrypts data. When I use OpenVPN, there is a sublayer OpenSSL within. Well, with OpenSSL only, data are encrypted. With VPN they are *traffic'ed* only with known/authenticated clients. VPN = SSL + authentication *before* connecting = The key to enter the house + the key to "decrypt" the inside. While SSL is only a matter of encryption. ... still wrong ? // SSL is encryption, VPN is networking. And the virtual privacy is ensured by : SSL + authentication. – Strukt Aug 03 '15 at 12:54
  • @ThomasPornin I like the door vs. contents of the house example. How about SSL is the mail slot in the door while with the VPN you go through the door with your key and have access to all the contents. Also these days I wonder how strong of a statement is VPNs being safer. Here is a search for OpenVPN that was used as an example: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=openvpn – eglasius Oct 09 '20 at 06:31
16

Both have security issues if not configured correctly. But first lets start with some definitions:

Cisco have a good definition of a VPN:

VPN can take several forms. A VPN can be between two end systems, or it can be between two or more networks. A VPN can be built using tunnels or encryption (at essentially any layer of the protocol stack), or both, or alternatively constructed using MPLS or one of the “virtual router” methods. A VPN can consist of networks connected to a service provider’s network by leased lines, Frame Relay, or ATM, or a VPN can consist of dialup subscribers connecting to centralized services or other dialup subscribers. https://www.cisco.com/c/en_in/products/security/vpn-endpoint-security-clients/what-is-vpn.html

As for SSL:

SSL (Secure Sockets Layer), also known as TLS (Transport Layer Security), is a protocol that allows two programs to communicate with each other in a secure way. Like TCP/IP, SSL allows programs to create "sockets," endpoints for communication, and make connections between those sockets. But SSL, which is built on top of TCP, adds the additional capability of encryption. http://www.boutell.com/newfaq/definitions/ssl.html

In relation to your question, the main difference is that SSL often makes use of the browser to encrypt data between end user and the server, and is commonly used for areas of websites that require the protection of confidentiality and integrity of the data.

VPN/IPSEC requires specific VPN Client software and is generally for providing remote access to systems or networks. Also there is the option to go for L2TP or L2F instead of IPSEC.

However, SSL VPNs are becoming more prevalent as a means to provide access to networks / systems via the web browser. This approach has many benefits as it uses the common web browser to enable the secure connection. The granularity of this approach is also a good way to control accesses to specific applications.

As for security issues -

SSL -

  • Weak security cyphers could lead to the ability to conduct man-in-the-middle style attacks against the end user, resulting in a loss of confidentiality / integrity of the data.

    • Poorly configured mix of HTTP / HTTPS content could also lead to a loss of confidentiality / integrity of the data.

IPSEC -

David Stubley
  • 2,896
  • 1
  • 18
  • 28
  • 1
    Btw @David not all SSL VPNs are limited to browser clients. There are some SSL VPN products (names escape me) that deliver a client, that can redirect all TCP/IP packets over the SSL tunnel, not just the HTTPS requests aimed at the server. – AviD Jan 06 '11 at 20:00
  • 2
    @AviD - totally agree, as an example OpenVPN does what you say - "OpenVPN is a full-featured SSL VPN which implements OSI layer 2 or 3 secure network extension using the industry standard SSL/TLS protocol." But then you are back to using software installed on the client. – David Stubley Jan 07 '11 at 09:21
  • Yes, but then setup and distribution are a lot simpler. This can still be delivered over the web... – AviD Jan 07 '11 at 14:28
7

Some very good answers here, I won't repeat what was already said.
However, one point I found to be lacking - SSL is a lot easier to setup on an ad-hoc basis, especially if you don't have a requirement for client certificates.
IPsec, on the other hand, always requires client certificates (assuming a normal, typical setup), and there are also other difficulties in initial setup and distribution.

As such, IPsec is usually more fit for a controlled network, and less so over the wild wild unknown Internet. See some more info at this other question: "IPsec (Internet Protocol Security) facts".

Thus, getting back to your actual question, in almost all cases where you're putting the server on the Internet, you wouldnt expect your users to connect using a VPN. (Exceptions exist, of course.)
Instead, just simply set up SSL certs on your server, point your clients at it, and you're good to go (just make sure you explicitly validate the certificate, depending on what language/technology/library you're using...)

AviD
  • 72,708
  • 22
  • 137
  • 218
5

Are you looking at these options to create a secure VPN? SSL is generally easier to deploy and better supported for a desktop-to-network type of VPN, such as when an employee at home is connecting to the corporate network. If you're doing a more complex deployment, such as a network-to-network encrypted VPN (e.g., between two different organizations), then IPSEC will provide better control and more customization options.

There is a decent white paper on the topic by Juniper Networks, although it might be skewed to the strengths of their products.

Eugene Kogan
  • 281
  • 2
  • 4
  • that white paper says that ipsec is used to connect two remote branches. Cant a single remote user connect a single computer to the remote branch ? Why is this not mentioned there ? – user1184 Jan 25 '11 at 02:35
2

This could be a very long answer, but I'll try the short one.

When you use https, your browser (acts as a SSL client) will only encrypt this connection to the webserver.

When you use VPN, you need a special client and establish a tunnel between the client and the server. Then you can configure which traffic goes through the tunnel. This can be everything or just your http traffic.

When you only want to set up a client/server application which can communicate with http, the easiest solution should be the https traffic, when it needs to be encrypted. It is much more complicated to setup a VPN and maintain it.

Christian
  • 121
  • 2
2

This depends on your threat model, on the nature of the client server protocol you need, and on your customers.

Is this intended for unsophisticated end-users? Then use SSL - at this point VPN complexity will just turn off a lot of potential users.

Do you want to deploy the client as a browser app (perahps with javascript)? Then again https/ssl seems like the way to go.

Does the server ever need to asynchronously notify the client of something? Then HTTPS may not be what you want (though it can be made to do so).

How big a risk is phishing? If it would be easy for attackers to lure folks to them as a MITM, SSL is probably better since it authenticates each server to the client. A typical VPN, once set up, doesn't help the user avoid an attacker who has gotten into other hosts on the VPN. This would probably not be a huge risk but again it depends on what you're doing.

If you're deploying this in the cloud (both client and server), then you may get a VPN of sorts almost for free which may address some very casual threats.

nealmcb
  • 20,693
  • 6
  • 71
  • 117
2

Well, the difference is kind of like the difference between a circle and a square (both are shapes, but differ greatly). They both secure communications, but do it at different levels and in different ways. IPSEC is wireline encryption and authorization whereas SSL is application-specific.

IPSEC has access control whereas SSL does not.

Can you be more specific with what you are trying to figure out?

Steve
  • 15,215
  • 3
  • 38
  • 66
  • securing data at ip level(ipsec) is there a advantage over securing data at application level (ssl) ? – user1184 Jan 25 '11 at 02:20
0

I am far from a security expert, but I think the most important difference between the two is not in the other answers.

By VPN the communication goes this way:

HTTP client <-[raw]-> VPN client
  <-[encrypted]-> 
VPN server <-[raw]-> HTTP server

By HTTPs it goes this way:

HTTP client
  <-[encrypted]-> 
HTTP server

So by VPN unprotected data can travel on the local network of the clients and on the local network of the servers. If you don't trust those networks entirely, then it is a wise idea to use HTTPs. Be aware that the VPN and the HTTP client-client, server-server pairs are not necessarily on identical computers, e.g. routers can be configured to be VPN servers or clients.

Since these technologies work on a different level, they are not mutually exclusive, so you can use both if you want another layer of protection and you don't mind the performance drop coming with it or you can just use the one of them, which better suits your needs. As far as I know both technologies are considered secure if they are configured properly.

inf3rno
  • 479
  • 1
  • 7
  • 19