To compare Secure Sockets Layers and Transport Layer Security and Internet Protocol Security let us first discuss their origins and intent.
Transport Layer Security (TLS) is the child of the Secure Socket's Layer protocol. TLS was defined formally by the IETF in 2008 in RFC 5246.[IETF]i It's origins are rooted in SSL 1.0 as developed in 1996 by Netscape as a means to secure browser sessions. The main goals of TLS are defined as setting up a secure channel between two parties based upon certification exchange that is extensible and inter operable in nature and that is computationally efficient. That is to say it's designed to secure a single channel between a server and a host.
TLS operates at the Transport layer by means of encapsulation by encrypting the underlying protocol after a standardized handshake and authorization have occurred often over Public Key Infrastructure using certificates that have been obtained commercially from one of the public certificate authorities these include organizations like Verisign and are most commonly issued to businesses wishing to secure their website or application. The HTTP protocol has a default header “HTTPS” and both SSL and TLS encrypted web sites operate on the default TCP port of 443. TLS 1.0 is preferable to SSL 1.0, 2.0 or 3.1 versions as it's the most secure cipher and the latest incarnation of the standard; as each iteration of the standard has been revised various security issues have been addressed.
Internet Security Protocol (IPSec) is a suite of protocols where key exchange and payload encapsulation was ratified by the IETF in RFC 2406 in 1998 [IETF]ii and various methods of payload or point to point encryption may be supported within the suite and standard. IPSec may use either IKE or AH and SA methods to exchange secure information and with IPSec only layers 1 through 3 are visible in plain text on a network. It's designed to encrypt communications between either a host to a network, or a gateway to a gateway; ie; two geographical locations via gateways. All implementations of IPSec are colloquially reffed to as a “Virtual Private Network” or VPN, large businesses use VPN's in place of dedicated networks as they offer the same functionality at a fraction of the cost.
TLS and IPSec operate at different layers within the OSI model; TLS operates from Layer 4 up; ie the transport and session layers in a TCP/IP based session are encrypted in TLS using a signed X.509 certificate and escrow authentication; the most common of which is the now infamous “Security Notice” that users see when attempting to connect to a server that is using a self signed certificate; as opposed to a certificate obtained from a certification authority; which would require no notice as the authorities chain exist in the on line web of trust. IPSec operates from Layer 3 and up; it encrypts the entire contents of the packet including session, protocol, transport and application layers. The method of encryption may be certificate based or it may use a popular form of Internet Key Exchange as one defined by ISAKMPiii based authentication frameworks, these include KINK or IPSECKEY based DNS records or pres hared secrets such as those used by TACAS and Radius.
TLS is designed to provide a secure port on a client to a server, IPSec can provide either as secure pipe or channel but it's usually used to create a pipe through which IP traffic flows across an unsecured network. Both protocols are deigned to facilitate secure communication between two parties across an insecure medium and both parties use cryptography as a means to do so. The differ in that TLS is a lightweight implemented where only a single method of authentication is agreed upon by the client for the server. IPSec is a suite of protocols including IKE, AH, ESP, ISAKMP, KINK, IPSECKEY or other protocols are utilized for mutual party authentication; in fact both ends of the VPN must agree upon the type and method of authentication to be used to create the PIPE, once created the pipe behaves just like any other TCP/IP version 4 link in that any and all encapsulated traffic may enter the pipe on one segment destined for the other segment. IPSec does have a tax since it encapsulates the entire IP packet thus by duplicating layers 3 to 1 within TCP/IP; these are the Frame, IP SRC and DST headers and other network related information such as routing; the encrypted packets are about 20% larger than their unencrypted counters parts. TLS only suffers a moderate bloat during encryption as it's integrated into the sockets layer.
TLS is easier to implement than IPSec, both provide full security but IPSec is the more secure of the two protocols; TLS will support all kinds of web applications; where as IPSec will support any protocol that works on TCP/IP which is practically everything on the Internet. Tailored services may be provided by establishing a VPN with clients or over SSL examples include on line banking; IPSec is more transparent to applications than TLS however since most applications are now programmed as websites or web-based applications TLS is relatively transparent provided it's configured to support port redirection on the server. Of the two protocols deployment of TLS only requires the installation of a certificate on a web server in either IIS or Apache; IPSec requires two gateway devices or client software that creates a virtual network interface on the host in question.
Generally speaking the choice of technology is Dependant upon the business requirement; if you are connecting to clients over the Internet and you have a website in which you wish your clients to feel secure in it's use and operation than TLS is the ideal choice as it's easier and less costly to implement. If you have a large multinational company with offices all around the planet in various countries engaging in business in all these countries than having a VPN gateway at every offices point of presences is a cost effective way to tie all of the networks in each of these offices together.
i[IETF] Dierks T.; Rescorla E; (IETF, 2008) The transport layer security (TLS) protocol version 1.2 [Online] World Wide Web, Available from: http://tools.ietf.org/html/rfc5246 (Accessed on June 7th 2011)
ii[IETF] Kent, S; Atkinson, R; (IETF, 1998) IP Encapsulating Security Payload [Online] World Wide Web, Avaialble from; http://tools.ietf.org/html/rfc2406 (Accessed on June 7th 2011)
iii[IETF] Harkins, D; Carrel D; (IETF, 1998) Internet Key Exchange [Online] World Wide Web, Available from: http://tools.ietf.org/html/rfc2409 (Accessed on June 7th 2011)
No comments:
Post a Comment