0
The Matrix Evaluations <ul><ul><li>A Comparative In depth Evaluation of Security Features in SSL & IP Sec  </li></ul></ul>...
Agenda <ul><li>Panch Sutra of Security </li></ul><ul><li>Problem, Which layer ? </li></ul><ul><li>SSL  & IP-Sec </li></ul>...
Pancha - Sutra of Security <ul><li>Authentication   </li></ul><ul><li>Authorization   </li></ul><ul><li>Non-Repudiation </...
The Problem  The wire protocol guys don't worry about security because that's really a network protocol problem.  The netw...
Which Layer ?
SSL -  Basics <ul><li>Basic Protocols </li></ul><ul><ul><li>Handshake protocol </li></ul></ul><ul><ul><li>Record protocol ...
SSL - Handshake
SSL – Promises <ul><li>Authentication  </li></ul><ul><li>Confidentiality  </li></ul><ul><li>Integrity  </li></ul><ul><li>I...
SSL  - Benefits <ul><li>Employ granular access control. </li></ul><ul><li>Extend remote access capabilities. </li></ul><ul...
SSL – Open Source Packages <ul><li>Open SSL (www.openssl.org) </li></ul><ul><ul><li>A tool kit implementing SSL v2 /v3 and...
SSL Limitations <ul><li>Mainly web-based applications can be accessed.  </li></ul><ul><li>Complicate applications such as ...
IP Sec - Overview <ul><li>IP Sec is designed to provide interoperable, high quality, </li></ul><ul><li>cryptographically-b...
IP Sec – Protocols & Modes <ul><li>Protocols </li></ul><ul><ul><li>Authentication Header (AH) </li></ul></ul><ul><ul><li>E...
IP Sec - Promises <ul><li>Access control </li></ul><ul><li>Data Origin authentication  </li></ul><ul><li>Integrity </li></...
IP Sec - Promises <ul><li>Perfect forward secrecy </li></ul><ul><ul><li>To provide PFS, the DH are exchanged while negotia...
IP Sec - Benefits <ul><li>&quot; Always On &quot; protection for all applications independent of user intervention. </li><...
IP Sec – Open Source Packages
IP Sec - Limitations <ul><li>IP Sec does not work along with Firewalls. </li></ul><ul><ul><li>Note :  </li></ul></ul><ul><...
IP Sec - Limitations <ul><li>NAT modifies the IP addresses in the packet, which directly violates the packet integrity ass...
IP Sec - Limitations <ul><li>Prone to vulnerability when administrators choose a non-certificate option such as password o...
IP Sec - Limitations <ul><li>It is a time-consuming chore for administrators to configure individual and group access rule...
Latency Analysis
CASE STUDIES
Case #1  <ul><li>Requirements  </li></ul><ul><ul><li>An organization with a single office location is planning  to open a ...
Case #1 –  Continued .. <ul><li>Requirements </li></ul><ul><ul><li>Communication with most of the IT resources will involv...
Case #2  <ul><li>Requirements : </li></ul><ul><ul><li>A marketing company has its salesmen roaming all over the country. T...
Solutions for both cases Image Source : TechTarget
Conclusions
THE MATRIX
 
IP Sec  ,  SSL  or  Combination  ? <ul><li>What type of access do users require ? </li></ul><ul><ul><li>If they need perma...
<ul><li>Is it important to have future scalability? </li></ul><ul><ul><li>If it’s critical to easily add , change applicat...
<ul><li>How ease is the deployment at client workstations </li></ul><ul><ul><li>If client workstations are easily accessib...
Bottom Line <ul><li>A careful evaluation, based on the factors mentioned previously, is a necessity for any organization l...
I'm trying to free your mind, Neo . But I can only show you the door. You're the one that has to walk through it. -- Morph...
Resources <ul><li>SSL  </li></ul><ul><ul><li>openssl ( www.openssl.org) </li></ul></ul><ul><ul><li>mod-ssl ( www.modssl.or...
Contact <ul><ul><li>email :   [email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul>
Latency Analysis of SSL vs IPSec Traffic
IP Sec - Overview
Upcoming SlideShare
Loading in...5
×

Matrix

715

Published on

SSL IPSEC VPNs pros and cons evaluation

Published in: Education
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
715
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
14
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Authentication : The verification of the identity of a person or process. Authorization : The process of granting or denying access to a network resource. Non-Repudiation : Proves communications took place so that the sender (or receiver) cannot refute sending (or receiving) information. Confidentiality : means the property that data or information is not made available or disclosed to unauthorized persons or processes. Integrity : means the property that data or information have not been altered or destroyed in an unauthorized manner.
  • SSL Philosophy : It is easier to deploy something if you don&apos;t have to change the Operating System , modifying an application to work on top of SSL requires minimal changes IP Sec Philosophy : Implementing Security within the operating system automatically causes all applications to be protected without the applications to be modified
  • Basic Protocols Handshake protocol Uses public-key cryptography to establish a shared secret key between the client and the server Record protocol Uses the secret key established in the handshake protocol to protect communication between the client and the server
  • Speaker Should mention some details of X.509 Certificates.
  • SSL drills down better to specific applications and services. This is made possible because SSL VPNs reside on top of TCP/User Datagram Protocol (UDP) transports, allowing SSL VPNs to travel through network translation address (NAT) devices as well as stateful inspection and proxy-based firewalls. It does not require complex or intrusive clients, i.e., installation of software on end-user computers, which means easier installation, maintenance, and higher cost-savings. For this reason, SSL VPNs are better for smaller budgets.
  • It is less secure because it enables transparent negotiation of encryption algorithms and key materials, defaulting to smaller, weaker keys if a higher key security level cannot be supported in client/server communications. Administrators can add support for non-Web based applications, but this requires custom development, including extensive upgrades, patches, SSL gateways, and other add-ons, which tend to be costly and difficult to implement.
  • This can be accomplished by arranging the devices in a particular order, or by using an IP Sec gateway that also performs NAT. For example, the gateway can perform NAT first and then IP Sec for outbound packets. An IKE enhancement known as IPSec NAT -T allows IKE to negotiate the use of UDP encapsulation
  • Choosing between an IPSec and SSL VPN is not a matter of one being better than the other, as each has myriad benefits and drawbacks depending on an organization&apos;s needs. A careful evaluation, based on the factors mentioned previously, is a necessity for any organization looking to bolster secure, remote connectivity through the use of a VPN.
  • The above graph is taken from the bench marking results done by us . Two machines running FC3 are chosen and both the systems were running randomly applications and the network traffic was also moderate . SSL was configured with only Server Authentication . IP Sec was configured with IKE and Certificates Both the set of values were taken individually
  • Rarely is anything black or white. Life and logic are filled with shades of gray, trade-offs and compromises, advantages with constraints, and richness counterbalanced with cost. This immutable reality touches virtually every choice and issue in life. A Secure Solution is no exception
  • Choosing between an IP Sec and SSL is not a matter of one being better than the other, as each has myriad benefits and drawbacks depending on an organization&apos;s needs.
  • The above graph is taken from the bench marking results done by us . Two machines running FC3 are chosen and both the systems were running randomly applications and the network traffic was also moderate . SSL was configured with only Server Authentication . IP Sec was configured with IKE and Certificates Both the set of values were taken individually
  • Transcript of "Matrix"

    1. 1. The Matrix Evaluations <ul><ul><li>A Comparative In depth Evaluation of Security Features in SSL & IP Sec </li></ul></ul><ul><ul><li>.. dodge this ! </li></ul></ul><ul><ul><li>Krishna Sashank & Nayna Jain </li></ul></ul><ul><ul><li>Research Engineers , TMN Group </li></ul></ul><ul><ul><li>Centre for Development of Telematics </li></ul></ul><ul><ul><li>Bangalore </li></ul></ul>
    2. 2. Agenda <ul><li>Panch Sutra of Security </li></ul><ul><li>Problem, Which layer ? </li></ul><ul><li>SSL & IP-Sec </li></ul><ul><ul><li>Overview </li></ul></ul><ul><ul><li>Promises, Benefits </li></ul></ul><ul><ul><li>Limitations </li></ul></ul><ul><li>Case Studies & Conclusions </li></ul><ul><li>Question & Answers </li></ul>
    3. 3. Pancha - Sutra of Security <ul><li>Authentication </li></ul><ul><li>Authorization </li></ul><ul><li>Non-Repudiation </li></ul><ul><li>Confidentiality </li></ul><ul><li>Integrity </li></ul>
    4. 4. The Problem The wire protocol guys don't worry about security because that's really a network protocol problem. The network protocol guys don't worry about it because, really it's an application problem. The application guys don't worry about it because, after all, they can just use the IP address and trust the network. Marcus Ranum ( first commercial firewall inventor !)
    5. 5. Which Layer ?
    6. 6. SSL - Basics <ul><li>Basic Protocols </li></ul><ul><ul><li>Handshake protocol </li></ul></ul><ul><ul><li>Record protocol </li></ul></ul>SSL - Stack
    7. 7. SSL - Handshake
    8. 8. SSL – Promises <ul><li>Authentication </li></ul><ul><li>Confidentiality </li></ul><ul><li>Integrity </li></ul><ul><li>Interoperability </li></ul><ul><li>Extensibility </li></ul><ul><li>Relative Efficiency </li></ul>
    9. 9. SSL - Benefits <ul><li>Employ granular access control. </li></ul><ul><li>Extend remote access capabilities. </li></ul><ul><li>Well engineered for PDA's and WiFi laptops and mobiles. </li></ul><ul><li>Best suited for e-transactions like banking, etc. </li></ul><ul><li>Key Selling Point : E asier installation and maintenance results in higher cost-savings. </li></ul>
    10. 10. SSL – Open Source Packages <ul><li>Open SSL (www.openssl.org) </li></ul><ul><ul><li>A tool kit implementing SSL v2 /v3 and TLS v 1.0 </li></ul></ul><ul><li>mod -ssl </li></ul><ul><ul><li>Apache interface for open ssl </li></ul></ul><ul><li>Apache-SSL </li></ul><ul><ul><li>An alternative to mod-ssl </li></ul></ul><ul><li>Open VPN </li></ul><ul><ul><li>An SSL vpn Solution </li></ul></ul>
    11. 11. SSL Limitations <ul><li>Mainly web-based applications can be accessed. </li></ul><ul><li>Complicate applications such as file sharing, automated file transfers and scheduled file backups. </li></ul><ul><li>Customization of applications is difficult. </li></ul><ul><li>Lack of transparent security to all applications compared to IP Sec. </li></ul>
    12. 12. IP Sec - Overview <ul><li>IP Sec is designed to provide interoperable, high quality, </li></ul><ul><li>cryptographically-based security for IPv4 and IPv6. </li></ul>
    13. 13. IP Sec – Protocols & Modes <ul><li>Protocols </li></ul><ul><ul><li>Authentication Header (AH) </li></ul></ul><ul><ul><li>Encapsulating Security Payload (ESP) </li></ul></ul><ul><li>Modes </li></ul><ul><ul><li>Transport Mode </li></ul></ul><ul><ul><li>Tunnel Mode </li></ul></ul>
    14. 14. IP Sec - Promises <ul><li>Access control </li></ul><ul><li>Data Origin authentication </li></ul><ul><li>Integrity </li></ul><ul><ul><li>Connectionless Integrity </li></ul></ul><ul><ul><li>Partial Sequence Integrity( Anti - Replay Integrity) </li></ul></ul><ul><li>Confidentiality </li></ul><ul><ul><li>Data Flow Confidentiality </li></ul></ul><ul><ul><li>Traffic Flow Confidentiality </li></ul></ul>
    15. 15. IP Sec - Promises <ul><li>Perfect forward secrecy </li></ul><ul><ul><li>To provide PFS, the DH are exchanged while negotiation of parameters. </li></ul></ul><ul><ul><li>Caution : </li></ul></ul><ul><ul><ul><li>There is a definite overhead associated with doing a D-H exchange at each re-key interval. </li></ul></ul></ul><ul><ul><ul><li>If the data requires such security it is an appropriate price to pay, but if it doesn't, it could be excessive. </li></ul></ul></ul>
    16. 16. IP Sec - Benefits <ul><li>&quot; Always On &quot; protection for all applications independent of user intervention. </li></ul><ul><li>Consistent security for each client or end user residing on each remote computer. </li></ul><ul><li>Stronger security plus is, it prevents </li></ul><ul><ul><li>Man-in-the-Middle attacks </li></ul></ul><ul><ul><li>Denial of service (DoS) attacks </li></ul></ul><ul><li>Extra hardware devices can be used to improve the efficiency. </li></ul>
    17. 17. IP Sec – Open Source Packages
    18. 18. IP Sec - Limitations <ul><li>IP Sec does not work along with Firewalls. </li></ul><ul><ul><li>Note : </li></ul></ul><ul><ul><ul><li>IPSec uses UDP Port 500 for the initial negotiations </li></ul></ul></ul><ul><ul><ul><li>and then IP Protocol 50 for all the traffic </li></ul></ul></ul><ul><ul><li>Tip : </li></ul></ul><ul><ul><li> Add these two lines in the ip tables configuration file </li></ul></ul><ul><ul><ul><ul><li>'iptables -A xxx -p 50 -j ACCEPT' </li></ul></ul></ul></ul><ul><ul><ul><ul><li>'iptables -A xxx -p 51 -j ACCEPT' </li></ul></ul></ul></ul>
    19. 19. IP Sec - Limitations <ul><li>NAT modifies the IP addresses in the packet, which directly violates the packet integrity assurance provided by IP Sec. </li></ul><ul><ul><li>Tip : </li></ul></ul><ul><ul><ul><li>Perform NAT before applying IP Sec. </li></ul></ul></ul><ul><ul><ul><li>At home or small offices, configure cable and DSL routers to perform NAT thereby permitting IP Sec NAT-T for the client systems. </li></ul></ul></ul>
    20. 20. IP Sec - Limitations <ul><li>Prone to vulnerability when administrators choose a non-certificate option such as password or tokens. </li></ul><ul><li>Vendors tend to offer alternatives such as Extended Authentication (XAUTH) and L2TP over IPSec. </li></ul><ul><li>IPSec VPNs tend to be deployed with less granular access controls. </li></ul>
    21. 21. IP Sec - Limitations <ul><li>It is a time-consuming chore for administrators to configure individual and group access rules. </li></ul><ul><li>Maintenance cost is high which adds up to overall costs. </li></ul><ul><li>Provides only machine authentication. </li></ul><ul><li>It is slower, for its cryptographic operations are CPU - intensive. </li></ul>
    22. 22. Latency Analysis
    23. 23. CASE STUDIES
    24. 24. Case #1 <ul><li>Requirements </li></ul><ul><ul><li>An organization with a single office location is planning to open a small remote office, which includes identifying any needs to protect network communications. </li></ul></ul><ul><ul><li>Remote office will need to access several IT resources located at the main office, including the organization's email, intranet web server, databases, file servers as well as several business applications. </li></ul></ul>
    25. 25. Case #1 – Continued .. <ul><li>Requirements </li></ul><ul><ul><li>Communication with most of the IT resources will involve transfer of sensitive data between systems. </li></ul></ul><ul><ul><li>Currently communication is always initiated by remote office, in future, it may be required to protect the communications initiated by main office. </li></ul></ul><ul><ul><li>Thus the organization is required to provide a secure solution in a cost effective manner. </li></ul></ul>
    26. 26. Case #2 <ul><li>Requirements : </li></ul><ul><ul><li>A marketing company has its salesmen roaming all over the country. The salesmen need to have communication with main office very often. </li></ul></ul><ul><ul><li>Salesmen need to access their email and certain parts of the company website to get latest information on the products and their cost. </li></ul></ul><ul><ul><li>Communication should be secure in a cost effective manner and should involve minimal changes in infrastructure. </li></ul></ul>
    27. 27. Solutions for both cases Image Source : TechTarget
    28. 28. Conclusions
    29. 29. THE MATRIX
    30. 31. IP Sec , SSL or Combination ? <ul><li>What type of access do users require ? </li></ul><ul><ul><li>If they need permanent, always-on access </li></ul></ul><ul><ul><li>If they are mobile workers needing casual or on demand access </li></ul></ul><ul><li>Are users your employees or not ? </li></ul><ul><ul><li>If all your users are employees </li></ul></ul><ul><ul><li>If all your users are not employees </li></ul></ul>
    31. 32. <ul><li>Is it important to have future scalability? </li></ul><ul><ul><li>If it’s critical to easily add , change applications later </li></ul></ul><ul><ul><li>If it is required for current running applications alone </li></ul></ul><ul><ul><li>If both considerations are important . </li></ul></ul><ul><li>What level of access control is required ? </li></ul><ul><ul><li>If you want to grant access to all apps & resources </li></ul></ul><ul><ul><li>If you want to control access to specific applications </li></ul></ul><ul><ul><li>If you want variable levels of access control </li></ul></ul>IP Sec , SSL or Combination ?
    32. 33. <ul><li>How ease is the deployment at client workstations </li></ul><ul><ul><li>If client workstations are easily accessible and configurable </li></ul></ul><ul><ul><li>If you have no control over your clients </li></ul></ul><ul><ul><li>If you have both type of clients </li></ul></ul><ul><li>What is the budget allocated ?? </li></ul><ul><ul><li>If it is possible to deploy ipsec clients and maintain them </li></ul></ul><ul><ul><li>If deployment and maintenance is tough </li></ul></ul>IP Sec , SSL or Combination ?
    33. 34. Bottom Line <ul><li>A careful evaluation, based on the factors mentioned previously, is a necessity for any organization looking to bolster secure, remote connectivity through the use of a network </li></ul>
    34. 35. I'm trying to free your mind, Neo . But I can only show you the door. You're the one that has to walk through it. -- Morpheus
    35. 36. Resources <ul><li>SSL </li></ul><ul><ul><li>openssl ( www.openssl.org) </li></ul></ul><ul><ul><li>mod-ssl ( www.modssl.org) </li></ul></ul><ul><ul><li>Open Vpn (www.openvpn.org) </li></ul></ul><ul><ul><li>SSL 3.0 specification </li></ul></ul><ul><li>IPSEC </li></ul><ul><ul><li>KAME tools </li></ul></ul><ul><ul><li>FREE/SWAN </li></ul></ul><ul><ul><li>RFC 2401 </li></ul></ul><ul><li>Bench Marking </li></ul><ul><ul><li>siege </li></ul></ul>
    36. 37. Contact <ul><ul><li>email : [email_address] </li></ul></ul><ul><ul><li>[email_address] </li></ul></ul>
    37. 38. Latency Analysis of SSL vs IPSec Traffic
    38. 39. IP Sec - Overview
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×