Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
944
Views
0
Helpful
3
Replies

IPsec better than SSL??

ohforce55
Level 1
Level 1

‎09-19-2017 11:28 AM - edited ‎03-12-2019 04:33 AM

Hi,

 

We have Cisco anyconnect VPN and protocol we use is IPsec.

 

I heard that IPsec is preferred to be used than SSL.

 

1. My management want to disable outside under 'webvpn' in order to not upgrade hardware.

I don't really understand what this means..

 

2. The firewall we use is 5510, and I heard that 5510 doesn't support TLS 1.2??

I don't also understand what this means....

 

 

I will very appreciate if you can answer my questions above!

 

Thank you so much!

Labels:
0 Helpful
3 Replies 3

Karsten Iwen
VIP
VIP

‎09-19-2017 12:51 PM

Both TLS and IPsec give you cryptographic protection. Both are available in different versions and with different algorithms. For your 5510 you are quite limited as it only supports outdated crypto (well, the 5510 is also pretty much outdated and EOL soon). For SSL and TLS, make sure to disable SSL as that is considered insecure. TLS is only available in the legacy version TLS 1.0 while the -X-ASAs supports also the more modern and stronger version TLS1.2. When comparing TLS and IPsec, IPsec is stronger from a cryptographic standpoint, especially when the device only supports TLS1.0.

0 Helpful

ohforce55
Level 1
Level 1
In response to Karsten Iwen

‎09-21-2017 08:16 AM

Thank you so much for your reply.

 

So, I don't still get that what SSL has something to do with upgrading device??

 

And, since SSL doesn't support TLS 1.2 but 1.0, and IPsec is stronger, especially when the device only supports TLS1.0,  I assume my management wants IPsec to be used instead of SSL correct?

0 Helpful

Karsten Iwen
VIP
VIP
In response to ohforce55

‎09-21-2017 08:33 AM

Regarding upgrading the device: I would assume they think that they don't want to upgrade and instead at least disable all functions on the outside that use suboptimal crypto. On the long/middle term, this can be dangerous as from next year on the 5510 will be EOL.

But as a short-term solution, it could work. But also with IPsec you don't win anything: If you use AnyConnect, you typically want to enable the Session-services which work over TLS. And the legacy IPsec-client uses IKEv1 with legacy crypto which is also not optimal.

On the other hand, in both ways it's unlikely that anyone breaks that crypto.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents