IPsec VPNs are implemented in kernel space, SSL VPNs do not have this requirement. Every compromise of a kernel-coupled component equals instant root access.
#Ssl vpn plus means code
If your security code can interfere with kernel space, it can compromise your entire security framework with a single failure. If your code can interfere with kernel space, its failure is usually catastrophic for the entire system. Since the days of Multics it has been well-known that in order to architect a secure, available system, you need to avoid interference with kernel space wherever possible. This is bad for any application, but much more severe when we’re talking about critical security components. Two, the nature of IPsec requires it to be tightly coupled with the OS kernel. The adage, “complexity is the enemy of security,” is well illustrated by this excessive group of configuration options and structural components. One, IPsec has too many possible configurations, some of which produce insecure architectures. To this I say “Bravo!!” IPsec is a hard protocol to use effectively for a variety of reasons. The main architectural advantage of SSL VPNs is that they shed the complexity of IPsec in exchange for the simple, well tested SSL/TLS structure for their cryptographic layer. It is possible to gain in both areas, as we’ll see when we talk about OpenVPN, but for the most part those kinds of claims have nothing but vapor and marketing push behind them. It is possible to squeeze out small incremental gains, but when someone says they have bumped functionality way up without compromising security, you need to take a closer look to verify these assertions. I realize that SSL VPNs are a new paradigm, but when you increase an architecture’s feature set, you almost always do it at the expense of security. When you are working with mature security technologies (like SSL/TLS), security is often a zero sum game. Whenever I hear that combination of claims, my brow furrows and I see that it’s time to start digging. SSL VPNs have roared into the VPN space with the claim of high security, ease of use, and robust feature sets that eclipse the existing technologies. The SSL VPN market has blossomed in the last five years in response to dissatisfaction with the traditional VPN technologies, namely the insecure Point-to-Point Tunneling Protocol (PPTP), and the complex and intrusive IP Security (IPsec) standard. I wanted to write an article on the strengths of OpenVPN, but I just can’t get the message out without first talking about the serious insecurities I see in the rest of the SSL Virtual Private Network (VPN) space.
0 kommentar(er)
