comparison between IPSEC and SSL

115 0 4 1

1 Differences between IPSec and SSL in the underlying protocol

In short, SSL and IPSec are both encrypted communication protocols that protect IP-based data flows from any TCP network. These two communications protocols have their own unique features and benefits.

IPSec is a network layer protocol that provides a series of protocol families to ensure IP communication. The SSL is a socket layer protocol, which is a protocol that guarantees the security of Web-based communication on the Internet.

IPSec designs a set of tunnel, encryption, and authentication schemes for data integrity, security, and validity of data on the public network. IPSec provides a high-quality and encryption-based security mechanism that can be used together for the IPv4/IPv6 network. Provides access control, connectionless data integrity, data source authentication, retransmission attack prevention, encrypted data confidentiality, and restricted data stream confidentiality services.

SSL uses public keys to encrypt data transmitted over SSL connections. SSL is a high-level security protocol and is established at the application layer. The SSL VPN uses the SSL protocol and proxy to provide HTTP, client/server, and shared file resources for end-users to ensure that only users who pass security policy authentication can access specified resources.

SSL is designed to protect HTTP communication protocols. When both the browser and Web server support SSL, SSL provides a ‘secure socket’ to protect the IP packets in the browser and Web server if the data stream transmitted through HTTP needs to be encrypted. There are some differences in the design of IPSec and SSL communication protocols. First, IPSec is centered on the network layer, while SSL is centered on the application layer. Second, IPSec requires dedicated use end software, while SSL uses an SSL supported browser as the use end. Finally, SSL is originally centered on mobility and IPSec is not.

2.The difference between IPSEC and SSL in connection mode

IPSec VPN was originally designed to provide site-to-site communication between departments of an enterprise. Since the enterprise extended the user to remote access, it had to expand the standards of the IPSec protocol.

IPSec VPN provides direct (non-proxy) access for tunnels between two sites to implement transparent access to the entire network. Once the tunnel is created, the user terminal is like to directly connected to the enterprise LAN. It requires software and hardware compatibility and requires that the two ends of the tunnel can only be the software of the same vendor. With IPSec VPN, enterprises need to specify the technologies used at both ends of the tunnel. However, few companies can or are willing to force their partners or customers to use the technology, which restricts the use of IPSec VPN.

Compared with IPSec VPN, SSL enables enterprises to access more remote users at different locations, achieving more network resource access and low requirements on client devices. Therefore, the configuration and running support costs are reduced. Many enterprise users adopt SSL VPN as the remote secure access technology, which focuses on its convenient access capability.

The SSL VPN provides enhanced remote secure access. Using IPSec VPN access mode, the user terminal is like to directly connect to the enterprise LAN. This brings many security risks, especially when the access user has high permission. SSL VPN provides secure and proxy connections. Only authenticated users can access resources. The SSL VPN can subdivide encrypted tunnels so that end users can access the Internet and intranet resources at the same time. That is, the SSL VPN has controllable functions. In addition, the SSL VPN can refine the access control function, which makes it easy to assign different access rights to different users and achieve scalability access. This precise access control function is almost impossible for IPSec VPN.

The SSL VPN is not restricted by access locations. It can access network resources from multiple Internet access devices and any remote location. SSL VPN communication is based on the standard TCP/UDP protocol. Therefore, SSL VPN can traverse all NAT devices, proxy-based firewalls, and stateful inspection firewalls. This allows users to access from anywhere. However, IPSec VPN is difficult to implement in a slightly complex network structure. In addition, the SSL VPN can be accessed from manageable enterprise devices or non-management devices, such as home PCs or public Internet access sites. The IPSec VPN client can be accessed only from manageable or fixed devices. With the increasing demand for remote access, the remote access IPSec VPN is greatly challenged in access control and has high management and running costs. It is the best solution for implementing point-to-point connections. However, to implement remote secure access at any location, the SSL VPN must be more ideal.

3. Complementarity between IPSec and SSL in enterprise application

The advantages of IPSec VPN are unparalleled in terms of direct access from LANs to LANs. However, the typical SSL VPN is considered to be the most suitable for common remote employees to access Web-based applications. Therefore, SSL VPN is undoubtedly preferred if all remote employees and offices needed to be connected.

On the other hand, SSL VPN does not need to install additional client software on end-users' PCs and laptops. This an important reason for some companies to choose SSL instead of IPSec. And SSL VPN has other features that are often mentioned, including reducing deployment costs and reducing requirements for daily support and management. In addition, because all internal and external traffic usually passes through a single hardware device, access to resources and URLs can be controlled.

SSL is easier to meet the requirements of most employees for mobile connections. However, the encryption level of SSL VPN is usually lower than that of IPSec VPN. In addition, you can access only the resources that are connected through the network browser. For example, SSL VPN has no architecture to support instant messaging, multicast, data feed, video conferencing, and VoIP. Therefore, although deployment and support costs are relatively low, the use of SSL VPN has some limitations. In these areas, you need to apply IPSec VPN to be competent.

The ideal application situation is that the enterprise connects the headquarters and branches through the IPSec VPN. So that the terminals of the headquarters and branches can be included in the same LAN. The SSL VPN access service is provided for mobile office employees or employees on business trips. Make full use of the complementarity of twos to make the enterprise network structure more reasonable.

In general, IPSec VPN and SSL VPN have their own advantages and disadvantages. The two technologies have great complementarity. Enterprises can select appropriate VPN products based on their applications.


  • x
  • convention:


You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits