The document compares the security features of SSL and IPsec. It discusses how each protocol provides authentication, confidentiality, integrity and other security services. It also outlines some of the benefits and limitations of each, such as SSL being best for web applications while IPsec provides broader security. Sample use cases are presented to illustrate when each protocol may be best to use.

1. The Matrix Evaluations A Comparative In depth Evaluation of Security Features in SSL & IP Sec .. dodge this ! Krishna Sashank & Nayna Jain Research Engineers , TMN Group Centre for Development of Telematics Bangalore

2. Agenda Panch Sutra of Security Problem, Which layer ? SSL & IP-Sec Overview Promises, Benefits Limitations Case Studies & Conclusions Question & Answers

3. Pancha - Sutra of Security Authentication Authorization Non-Repudiation Confidentiality Integrity

4. The Problem The wire protocol guys don't worry about security because that's really a network protocol problem. The network protocol guys don't worry about it because, really it's an application problem. The application guys don't worry about it because, after all, they can just use the IP address and trust the network. Marcus Ranum ( first commercial firewall inventor !)

5. Which Layer ?

6. SSL - Basics Basic Protocols Handshake protocol Record protocol SSL - Stack

7. SSL - Handshake

8. SSL – Promises Authentication Confidentiality Integrity Interoperability Extensibility Relative Efficiency

9. SSL - Benefits Employ granular access control. Extend remote access capabilities. Well engineered for PDA's and WiFi laptops and mobiles. Best suited for e-transactions like banking, etc. Key Selling Point : E asier installation and maintenance results in higher cost-savings.

10. SSL – Open Source Packages Open SSL (www.openssl.org) A tool kit implementing SSL v2 /v3 and TLS v 1.0 mod -ssl Apache interface for open ssl Apache-SSL An alternative to mod-ssl Open VPN An SSL vpn Solution

11. SSL Limitations Mainly web-based applications can be accessed. Complicate applications such as file sharing, automated file transfers and scheduled file backups. Customization of applications is difficult. Lack of transparent security to all applications compared to IP Sec.

12. IP Sec - Overview IP Sec is designed to provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6.

13. IP Sec – Protocols & Modes Protocols Authentication Header (AH) Encapsulating Security Payload (ESP) Modes Transport Mode Tunnel Mode

14. IP Sec - Promises Access control Data Origin authentication Integrity Connectionless Integrity Partial Sequence Integrity( Anti - Replay Integrity) Confidentiality Data Flow Confidentiality Traffic Flow Confidentiality

15. IP Sec - Promises Perfect forward secrecy To provide PFS, the DH are exchanged while negotiation of parameters. Caution : There is a definite overhead associated with doing a D-H exchange at each re-key interval. If the data requires such security it is an appropriate price to pay, but if it doesn't, it could be excessive.

16. IP Sec - Benefits " Always On " protection for all applications independent of user intervention. Consistent security for each client or end user residing on each remote computer. Stronger security plus is, it prevents Man-in-the-Middle attacks Denial of service (DoS) attacks Extra hardware devices can be used to improve the efficiency.

17. IP Sec – Open Source Packages

18. IP Sec - Limitations IP Sec does not work along with Firewalls. Note : IPSec uses UDP Port 500 for the initial negotiations and then IP Protocol 50 for all the traffic Tip : Add these two lines in the ip tables configuration file 'iptables -A xxx -p 50 -j ACCEPT' 'iptables -A xxx -p 51 -j ACCEPT'

19. IP Sec - Limitations NAT modifies the IP addresses in the packet, which directly violates the packet integrity assurance provided by IP Sec. Tip : Perform NAT before applying IP Sec. At home or small offices, configure cable and DSL routers to perform NAT thereby permitting IP Sec NAT-T for the client systems.

20. IP Sec - Limitations Prone to vulnerability when administrators choose a non-certificate option such as password or tokens. Vendors tend to offer alternatives such as Extended Authentication (XAUTH) and L2TP over IPSec. IPSec VPNs tend to be deployed with less granular access controls.

21. IP Sec - Limitations It is a time-consuming chore for administrators to configure individual and group access rules. Maintenance cost is high which adds up to overall costs. Provides only machine authentication. It is slower, for its cryptographic operations are CPU - intensive.

22. Latency Analysis

23. CASE STUDIES

24. Case #1 Requirements An organization with a single office location is planning to open a small remote office, which includes identifying any needs to protect network communications. Remote office will need to access several IT resources located at the main office, including the organization's email, intranet web server, databases, file servers as well as several business applications.

25. Case #1 – Continued .. Requirements Communication with most of the IT resources will involve transfer of sensitive data between systems. Currently communication is always initiated by remote office, in future, it may be required to protect the communications initiated by main office. Thus the organization is required to provide a secure solution in a cost effective manner.

26. Case #2 Requirements : A marketing company has its salesmen roaming all over the country. The salesmen need to have communication with main office very often. Salesmen need to access their email and certain parts of the company website to get latest information on the products and their cost. Communication should be secure in a cost effective manner and should involve minimal changes in infrastructure.

27. Solutions for both cases Image Source : TechTarget

28. Conclusions

29. THE MATRIX

31. IP Sec , SSL or Combination ? What type of access do users require ? If they need permanent, always-on access If they are mobile workers needing casual or on demand access Are users your employees or not ? If all your users are employees If all your users are not employees

32. Is it important to have future scalability? If it’s critical to easily add , change applications later If it is required for current running applications alone If both considerations are important . What level of access control is required ? If you want to grant access to all apps & resources If you want to control access to specific applications If you want variable levels of access control IP Sec , SSL or Combination ?

33. How ease is the deployment at client workstations If client workstations are easily accessible and configurable If you have no control over your clients If you have both type of clients What is the budget allocated ?? If it is possible to deploy ipsec clients and maintain them If deployment and maintenance is tough IP Sec , SSL or Combination ?

34. Bottom Line A careful evaluation, based on the factors mentioned previously, is a necessity for any organization looking to bolster secure, remote connectivity through the use of a network

35. I'm trying to free your mind, Neo . But I can only show you the door. You're the one that has to walk through it. -- Morpheus

36. Resources SSL openssl ( www.openssl.org) mod-ssl ( www.modssl.org) Open Vpn (www.openvpn.org) SSL 3.0 specification IPSEC KAME tools FREE/SWAN RFC 2401 Bench Marking siege

37. Contact email : [email_address] [email_address]

38. Latency Analysis of SSL vs IPSec Traffic

39. IP Sec - Overview