Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

IPsec better than SSL??

Hi,

 

We have Cisco anyconnect VPN and protocol we use is IPsec.

 

I heard that IPsec is preferred to be used than SSL.

 

1. My management want to disable outside under 'webvpn' in order to not upgrade hardware.

I don't really understand what this means..

 

2. The firewall we use is 5510, and I heard that 5510 doesn't support TLS 1.2??

I don't also understand what this means....

 

 

I will very appreciate if you can answer my questions above!

 

Thank you so much!

3 REPLIES
VIP Purple

Re: IPsec better than SSL??

Both TLS and IPsec give you cryptographic protection. Both are available in different versions and with different algorithms. For your 5510 you are quite limited as it only supports outdated crypto (well, the 5510 is also pretty much outdated and EOL soon). For SSL and TLS, make sure to disable SSL as that is considered insecure. TLS is only available in the legacy version TLS 1.0 while the -X-ASAs supports also the more modern and stronger version TLS1.2. When comparing TLS and IPsec, IPsec is stronger from a cryptographic standpoint, especially when the device only supports TLS1.0.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
New Member

Re: IPsec better than SSL??

Thank you so much for your reply.

 

So, I don't still get that what SSL has something to do with upgrading device??

 

And, since SSL doesn't support TLS 1.2 but 1.0, and IPsec is stronger, especially when the device only supports TLS1.0,  I assume my management wants IPsec to be used instead of SSL correct?

VIP Purple

Re: IPsec better than SSL??

Regarding upgrading the device: I would assume they think that they don't want to upgrade and instead at least disable all functions on the outside that use suboptimal crypto. On the long/middle term, this can be dangerous as from next year on the 5510 will be EOL.

But as a short-term solution, it could work. But also with IPsec you don't win anything: If you use AnyConnect, you typically want to enable the Session-services which work over TLS. And the legacy IPsec-client uses IKEv1 with legacy crypto which is also not optimal.

On the other hand, in both ways it's unlikely that anyone breaks that crypto.


--
Don't stop after you've improved your network! Improve the world by lending money to the working poor: http://www.kiva.org/invitedby/karsteni
188
Views
0
Helpful
3
Replies
CreatePlease login to create content