SSL VPN lacks in Anti-Replay Protection

gangadaran86 · ‎09-13-2012

Hi

Can someone help me to understand, why SSL VPN lacks in Anti-Replay attack protection?

Also please let me know if there is anyother security concerns in SSL VPN comparing to IPSec VPN. Thanks for your time in advance.

Regards,

Gan

Marcin Latosiewicz · ‎09-14-2012

Gan,

Have a look at RFC, I don't think it's fully the way you describe.

Sections 6.2.2 and 6.2.3 should be relevant.

(...)
   The MAC of the record also includes a sequence number so that
   missing, extra, or repeated messages are detectable.

M.

gangadaran86 · ‎09-15-2012

Hi Marcin,

Thanks for your time. Read the RFC and got to know that SSL VPN protects Anti-Replay Attack as well.

Can you please help me to understand which VPN is more seure IPSec VPN or SSL VPN? and Why?

Regards,

Gan

Marcin Latosiewicz · ‎09-16-2012

Gan,

I think you're looking at this the wrong way around.

Why don't you start with reading security considerations part of RFC:

SSLv3:

http://tools.ietf.org/html/rfc6101#appendix-F

IPsec and IKE:

http://tools.ietf.org/html/rfc2409#page-28

http://tools.ietf.org/html/rfc4301#page-72

Also, I relized I quoted the TLS RFC not SSL, here's a correction:

 To
   prevent message replay or modification attacks, the MAC is computed
   from the MAC secret, the sequence number, the message length, the
   message contents, and two fixed-character strings

(Section F.2 - part of appendix F)

Edit: you can also read about IKEv2 security considerations! if you think IKEv1 is "not secure".

M.