Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1930
Views
0
Helpful
3
Replies

IPSec vs. SSL

etms
Level 1
Level 1

‎08-15-2000 12:06 PM - edited ‎02-21-2020 11:13 AM

I am looking into running “private” applications via the Internet. Obviously, I have been working with IPSec / VPN techniques. I am intrigued by SSL however, as some of the applications are web based. The idea of having SSL built right into a browser sounds very convenient, and there seems to be sufficient robustness and modularity built into the SSL standard. What confuses me a bit is how can the client can be restricted and authenticated? It seems as thought SSL is biased more toward server authentication. I am equally concerned about allowing access to a select few clients. What options do I have to limit the web application to a select list?

Labels:
0 Helpful
3 Replies 3

ciscomoderator
Community Manager
Community Manager

‎08-18-2000 10:26 AM

Thank you for your post to the Networking Professionals Connection message board. The issue of authentication you present may be of interest to many of our community members. If any of our members have an idea or solution for ETMS, please feel free to post it here as a reply to the original message.

Thanks for your participation.

Cisco Moderator

0 Helpful

samalik
Level 1
Level 1

‎08-18-2000 08:31 PM

IPSec clients work on the IP layer. The authentication occurs via IKE. It can best be done using digital certificates. When the client is started it gets authenticated on the VPN gateway to which it is connecting.

0 Helpful

fdrewes
Level 1
Level 1

‎09-16-2000 09:13 PM

We have had a similar discussion at our company. We have client-server applications we need to host for customers. Since security has just become an important issue, most of the apps have no inherent security. Our plan is to provide IPSec VPN's while the developers get the same functionality (SSL et.al)into the apps themselves. Once that's done, we can drop the IP-layer VPN and let the apps handle this themselves.

The downside for IPSec is that you need to get network admins to agree to do IPSec with you (difficult if you don't have any influence with the other company or they don't have the hardware or skill to do it) it usually involves some network reconfigs that can be painful or politically difficult (been there. . . ) There can also be some incompatabilites that IPSec adds (MTU etc) that might need to be worked around.

As for restricting clients, you can do IOS ACL's if all the clients are from known addresses (almost never a reality) or require a strong authentication (token-based or other one-time method) which is what we're doing.

0 Helpful
Customers Also Viewed These Support Documents