Should you use SSL VPN?

We've talked about SSL/TLS in the past and how it's a common method for securing your traffic.

A few months ago, we shared with you the results of a survey that revealed that only 6% of all people used a VPN. That means that 94% don't, which is a problem, because if 94% of users didn't use a VPN, then it's a good way to get caught up in a data breach. And the reason why is simple - users don't secure their traffic and it makes them an easy target for hackers.

As a result of this survey, I took a closer look at the SSL/TLS encryption technology to see if it could be improved, and I found a new and exciting way to encrypt your traffic. It's called SSL/TLS over HTTP/2 and it uses a method called Server Name Indication (SNI).

What does SNI do? SNI is a method of using multiple domains on a single host (ie website) that can be identified by their domain name. The concept is not entirely new. There's nothing new about SNI; it's been around since the mid-2000s. However, it's not commonly used and it hasn't really been adopted into today's web.

As you can see, SNI has been around for a while now, but it hasn't really been popular for web traffic. There's nothing wrong with the technology itself; it's just that people haven't really embraced it as a way to encrypt their traffic. It's time we did.

How does SNI work? The way SNI works is by using a combination of the domain and port. For example, if you were to go to that would mean you're connecting to www.com on port 443. You can't identify which domain you're connecting to and you're not sure whether that domain is a trusted or a fake domain. You can make it a little bit more secure by using a certificate, but that's another story.

Is SNI safer than TLS?

Should I use IPSec or SSL VPN?

The reason I'm asking, is that they both seem to have features other than just encrypting the communication between a client/server - ie tunneling traffic over the internet through IPSec VPN or configuring an SSL server to do same and if you set up a server using these you get a much better security by not having to manage SSH ports etc on the remote (server).

I'm just trying to understand if these would require any particular changes to the software configuration on the server as I already have some of my IPsec configured. Do you have any idea on which one would be the best

You are correct in that they are for different purposes. But the question is which has better advantages in terms of protecting your server and communicating better over the internet.

Both have their place. IPSec would work to ensure that when two hosts need to send messages over the same link, the message integrity is ensured between them and they can be authenticated with a key to verify that it came from the expected sender.

Tunneling using SSL/IPSec would make the data sent between the host and the client(s) appear as if they are all local. The host does not know the IP address the client is connected to but everything appears as though it's just one host out of many at that point. It will also be encrypted and may contain additional authentication information.

Tunneling using SSL/IPSec would make the data sent between the host and the client(s) appear as if they are all local. Thanks for clearing this up - which one do I look at and what advantages does each have?

Does AnyConnect use SSL or IPSec?

We use AnyConnect (version 2.0.63745) to connect to various sites where we do have HTTPS connections available.

We have SSL encryption enabled in our web.config and that seems to be working fine, but one site we're trying to connect to doesn't seem to be accepting a connection using any of the connections above. It seems to use IPSec and we just can't get it to work. I have tested it using a windows 7 client and connecting via Windows XP Pro SP3 and Windows Server 2025 and have tried various server settings and still nothing.

I think AnyConnect is just an http proxy but my knowledge of the protocol is very limited. Any tips on how to configure AnyConnect for use with IPSec? Thanks. For security reasons (and other reasons) most IPSec implementations don't support HTTP/HTTPS proxying. It's possible however to modify AnyConnect's proxy server settings to set the proxy to type "HTTP" and then create a connection for a IPSec tunnel through that. Another option is to use the AnyConnect HTTP proxy mode for all tunneling, including via SSL/HTTPS - this should work fine.