IPSec compared to different protocols
I have a question regarding IPSec. I understand it helps encrypt IP packets. Therefore, is there a need to implement application-level security if the underlying packets are already encrypted? For example, having both IPSec and HTTPS. Hope this is sort of clear. Thanks,whoop
October 22nd, 2009 10:13pm

No need for both in the aspect of confidential(encrypted) traffic but if user authentication is a factor then SSL might fit your needs better.The encryption impact on the system should be about the same in both cases.
Free Windows Admin Tool Kit Click here and download it now
October 23rd, 2009 1:48am

some notes- basically yes, you are right-IPSec can encrypt only unicast traffic, no broadcast nor multicast which would require application encryption if necessary- IPSec can also work in a tunnel mode. This is then not end-to-end encryption. Tunnel mode for example is used to encrypt router-to-router communications between two subnets or remote sites (site-to-site-VPN) etc. In that case, some portion of the communications would not be encrypted when passing over the unencrypted networks. client ----- LAN ------ router ------ IPSec tunnel ----- router ----- LAN ------ serfver- IPSec is generally LAN encryption. to enable IPSec, you need to issue certificates to every computer which should be accessible or access the others. This means to both client and server.- if you deploy a certificate on a server, you need to configure all the clients with an IPSec policy that specifies that server's CA as a trusted. this means that is would be problematic to let internet clients to access your public server (you cannot configure the public clients' IPSec policies yourself).- if you also had the publicly facing server with IPSec enabled, you would also have to create its own IPSec policy to trust all the CAs that issued certificates to all the public clients which is again impossible- this LAN nature means, that you still would deploy HTTPS for public access.- IPSec has sometimes problems passing through NAT and even some cheaper router devices (it uses separate IP protocol ESP as against TCP/UDP)- IPSec cannot be used in the NATed scenario of such a kind as: client ---- NAT ----- NAT ---- serverondrej.
October 23rd, 2009 11:22am

Also, IPSec as of Windows 2000 SP4 and XP SP2, Windows Server 2003 and up has removed the default exemptions for Kerberos and RSVP which means that if you implement IPSec on any OS listed above you will need to add your own exemptions for kerberos (domain controllers)to assure normal functionality.Check for details on exemptions:http://support.microsoft.com/kb/810207http://support.microsoft.com/kb/811832/en-us
Free Windows Admin Tool Kit Click here and download it now
October 23rd, 2009 11:55am

Hi,Ondrej covered the topic thoroughly. I'll just add that application-level security in mine point of view covers much more than networkcommunicationencryption :).Also to add one more thing. It is quite simple to use a reverse proxy (e.g. ISA) to inspect HTTP traffic. This will not be possible if you use IPSec.Martin
October 23rd, 2009 12:04pm

Also to add one more thing. It is quite simple to use a reverse proxy (e.g. ISA) to inspect HTTP traffic. This will not be possible if you use IPSec. This is a common argument against IPSec - that you cannotinspect the traffic for malicious behaviour, so if you have an IDS/IPS then you might wanna go with application-level.I like the rawness of IPSec so hope the IDS/IPS vendors come up with an inspection-HUB or a local IDS/IPS application soon.
Free Windows Admin Tool Kit Click here and download it now
October 23rd, 2009 12:32pm

Hello, Thank you for your post here. From the description, you have a concern about whether it is a need to implement application-level security (such as SSL) if the underlying packets are already encrypted (IPSec). Agree with SnorLars that there is no need to implement both at the same time. Actually, because of the nature of those two security protocol they are designed for separate scenarios. In IPv4 network, because of the existence of private network (NAT) IPsec is often used in the intranet resources (private) access instead of the access via Internet (public). For a published resource to Internet such as TS, HTTP, it will be much more convenient to use SSL as it needs only 443 port to be forwarded while IPsec needs a lot. Second, IPsec is naturally defined in the TCP/IP. All applications that IPsec is used for encryption the its traffic will not be aware of the existence of IPsec while TLS/SSL is typically be incorporated into the design of applications. If you have any questions or concerns, please do not hesitate to let me know.
October 23rd, 2009 2:16pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics