IPsec vs. SSL

Toggle sidebar Toggle sidebar
B

bignick

Senior member
Apr 30, 2001
235
0
0
Couldn't one use IPsec to replace SSL on a web/pop3 server?

My thinking is, that instead of having to buy SSL certificates, you could just setup the server to require IPsec on particular ports, or all ports if you really needed - all for "free".

Any downsides to using IPSec over SSL?
 
S

Saltin

Platinum Member
Jul 21, 2001
2,175
0
0
Any downsides to using IPSec over SSL
Click to expand...

Downlevel clients (to my knowledge, maybe this has changed) like NT 4 and 9x cannot use IPsec. There is also substantial overhead associated with IPsec.

If you have a Windows 2000 Server, you can install Certificate services and create your own certs. People connecting to the server will get a pop-up stating they have not decided to trust the CA yet, but they are given an option to install the cert into thier root store, and even if they chose not to, it's still secured.
 
Nothinman

Nothinman

Elite Member
Sep 14, 2001
30,672
0
0
Any downsides to using IPSec over SSL?
Click to expand...

The fact that I need a client to connect to your site?

SSL support is built in, or can be enabled easily with things like stunnel, for many applications already. You can't just drop the majority of your userbase, and trust me you will lost the majority of them if you force them to use IPSec instead of SSL to save a few bucks.
 
B

bignick

Senior member
Apr 30, 2001
235
0
0


I don't disagree at all with any of the above statements. My organization is looking to use IPSec for all internal web traffic, and all external access into the POP server. We're mostly a Win2k shop (except for about 10%), so the majority have IPSec support.

I suggested getting a VPN only box for external access, but some of the others just want to use what we've already spent money on.

Thanks again for your input.

 
S

Saltin

Platinum Member
Jul 21, 2001
2,175
0
0
My organization is looking to use IPSec for all internal web traffic, and all external access into the POP server
Click to expand...

That's a lot of overhead to secure internal traffic! Is the internal web traffic that important? Internally, SSL is definetly the better choice, especially when you can integrate your Root CA into Active Directory and publish the root cert to everyone.

I understand why you would want to secure the POP3 authentication/data though. If you use IPsec for that you'll have to make sure no one tries to use a downlevel client from home.....
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom