Is IPSec more secure than HTTPS?

Should I use IPSec or SSL VPN?

I just received a request from a client for an SSL VPN.

He wants to get his work laptop and have the ability to connect to a server on the local network. This is a new client who is not particularly savvy about networks and computers, so he is looking for something that he can configure himself.

My first question is, what is the best type of connection for this kind of thing? I was thinking IPSec but if anyone has experience with both I would appreciate their recommendations. My second question is, is there any way to connect to a server like this without going through a server on the local network? Thanks for your time! P. The software he wants is ProximWare vPN Client 1.0 (or something like that) and he wants it to be able to connect directly to the internet. It's a Windows-only solution. When I put the "I" before IPSec, I meant IPSEC. I'm not really sure how well that works.

You should absolutely use SSL VPN. It makes it extremely easy for him to connect to a secure VPN tunnel. Then you can have the local server be a web server. The web server could have some sort of certificate for SSL to sign it. The client would then be able to login to it by entering the server's IP address and SSL certificate in the browser.

However, there is nothing stopping him from doing what you suggest and purchasing the same Proxim software and connecting to a server on the local network. Then, as long as the web server is accessible via port 80, he can simply point his web browser at the server's IP address.

I would advise not doing that because: 1) The security of the connection won't be very good because it's not over a VPN. 2) The software vendor isn't going to have test to ensure that it will work with any other server configuration. 3) The user is opening up his server to the public internet, and using SSL to protect the connection. That's not too much of a concern because any bad guy would need to compromise the computer he's using to open the browser.

If you're able to convince him to use SSL VPN, that's great. There are free solutions available. It's just a matter of convincing him of its benefits.

What is a disadvantage of a VPN that uses SSL instead of IPSec?

I already do IPSec on my router.

I am sure that when I connect my network device, and my wireless router is connected to my modem with a vpn, it will send its data encrypted over the vpn. That's why I want to use SSL, because it's a lot more secure.

So what is the difference between using SSL and IPSec, and how can I benefit from using SSL over IPSec? IPSec is end-to-end (e2e) encryption, so in your case the VPN-client will encrypt the packets that it sends to the VPN-server and the VPN-server will decrypt and then forward it further to the internet. SSL works just fine for you if you are only using the VPN-client and you don't want to use e2e encryption at all, since there is no other device involved. A problem is that if the VPN-server has a MITM-attack, which re-encrypts the traffic and forwards it to another VPN-server, than the two VPN-servers will behave as if they had an e2e-encrypted connection between each other. An example for such a MITM attack could be a rogue Wi-Fi AP in the same LAN as your router, that will simply accept all traffic and re-encrypt it and forward it to the real destination. You can get rid of this problem by using IPSec, but you need an IPSec-capable router and also a compatible VPN-server (both of them must support IPSec). EDIT: If you connect the VPN-client to the VPN-server directly, then you don't need to have an IPSec-capable router. The VPN-server does not need to be e2e-enabled.

What are the primary advantages of SSL over IPSec?

Tagged: dns.

I work for an ISP in the UK and we've just received a letter from our registrar, who's listed us as one of their domain hosting customers. The letter seems to imply that due to a recent change of our DNS records - we changed hostnames rather than IP addresses, and also changed the IPs used in our DNS records - the registrar had to be contacted to sort out a small flaw in the domain registration. After the registrar confirmed the new settings, we were able to continue as normal.

We also know that the person at the registrar did change the IPs on the client's webserver. They didn't use the standard way of doing this - they updated it all at once, and then tested that it worked, without contacting them again. Unfortunately this means that the web server on the client's website still has old IP addresses on it, and so can be accessed by anyone who knows how to get the IP addresses, even though the ISP has moved to new IP addresses.

The first of two concerns is that the client may not have the DNS infrastructure in place to redirect all their web pages to the new IP addresses. If their web pages are simply using the names to access the correct IP address, then this won't matter much, but if they're using DNS for that - well, it's unlikely that they'll have done that correctly.

The second is that since the hostnames on their site haven't yet been changed, there's a lot of traffic from web browsers trying to reach the old IP address, which results in their site failing to load until the hostname issue has been resolved. In an extreme case, if a large number of machines (thousands) have tried accessing the page, it could be quite a while before it's been resolved (and that's assuming they actually use their DNS servers instead of looking up the IP address themselves). And if someone sends spam to these people using a script which sends lots of emails, then that could become a real problem.

I'm going to add a blog entry on the first of these matters, but I thought I'd ask you whether you think it would be more appropriate to contact the client directly - do you think it would be more beneficial for them to resolve the issue themselves, or is the registrar better equipped to do that?