Cisco Support Community
Community Member

IPSec vs. SSL

I am looking into running “private” applications via the Internet. Obviously, I have been working with IPSec / VPN techniques. I am intrigued by SSL however, as some of the applications are web based. The idea of having SSL built right into a browser sounds very convenient, and there seems to be sufficient robustness and modularity built into the SSL standard. What confuses me a bit is how can the client can be restricted and authenticated? It seems as thought SSL is biased more toward server authentication. I am equally concerned about allowing access to a select few clients. What options do I have to limit the web application to a select list?


Re: IPSec vs. SSL

Thank you for your post to the Networking Professionals Connection message board. The issue of authentication you present may be of interest to many of our community members. If any of our members have an idea or solution for ETMS, please feel free to post it here as a reply to the original message.

Thanks for your participation.

Cisco Moderator

Community Member

Re: IPSec vs. SSL

IPSec clients work on the IP layer. The authentication occurs via IKE. It can best be done using digital certificates. When the client is started it gets authenticated on the VPN gateway to which it is connecting.

Community Member

Re: IPSec vs. SSL

We have had a similar discussion at our company. We have client-server applications we need to host for customers. Since security has just become an important issue, most of the apps have no inherent security. Our plan is to provide IPSec VPN's while the developers get the same functionality (SSL the apps themselves. Once that's done, we can drop the IP-layer VPN and let the apps handle this themselves.

The downside for IPSec is that you need to get network admins to agree to do IPSec with you (difficult if you don't have any influence with the other company or they don't have the hardware or skill to do it) it usually involves some network reconfigs that can be painful or politically difficult (been there. . . ) There can also be some incompatabilites that IPSec adds (MTU etc) that might need to be worked around.

As for restricting clients, you can do IOS ACL's if all the clients are from known addresses (almost never a reality) or require a strong authentication (token-based or other one-time method) which is what we're doing.

CreatePlease to create content