On Fri, 19 Mar 2004, jt wrote: > Thank you. I'm sure there are a fair bit of details involved, which I don't > know, but I've often wondered if there is any advantage, security-wise, to > running SSL withIN a VPN? (Same sig quote as usual, I presume James?...;-) My understanding (not wanting to get sued here) is that a VPN doesn't provide any additional security to an SSL enabled telnet connection. What a VPN provides is security for all those protocols and communications that are otherwise not secure. A VPN is also able to "hide" your network setup since the "virtual private" part of the network is hidden in the encryption. An examination of the TCP packets of both a VPN and SSL-enabled telnet look something like this: [TCP headers][goobledegook] The difference is the goobledegook part. A VPN will contain the TCP headers and data from your "virtual private" network. SSL-enabled telnet will contain just the telnet data. Upon receiving a packet, a VPN stips off the outer layer of TCP headers, unencrypts the goobledegook, and then forwards on the resulting TCP traffic onto the network. SSL-enabled telnet does the exact same thing, except that instead of forwarding the data onto the network, it hands it over to the telnet daemon. Running SSL-enabled telnet over a VPN means that when the VPN receives a packet it will strip off the TCP headers, unencrypt the goobledegook, and forward the result onto the network. This time, the result will be some TCP headers followed by more goobledegook. The goobledegook is the encrypted data of the telnet connection. It gets passed on to the SSL-enabled telnet server which removes the headers, unencrypts the goobledegook, and passes the data on to your application. However, encrypting the encrypted data doesn't really gain you anything. So using a VPN in combination with SSL-enabled telnet doesn't really provide you with more security. It is similar to running a VPN over a VPN (which is entirely possible). An interesting note to this is that it is possible to run a VPN over SSL-enabled telnet! SSH is basically SSL-enabled telnet with some added coolness. By using a fairly smart telnet server, you can route TCP/IP traffic through SSL-enabled telnet. SSH provides just this sort of functionality. Network traffic can be routed into an SSH session, just as if it were a normal IP route. On the other end that traffic is then routed onto the private network. btw - now I have a completely new and exciting .sig! James Rich Zvpebfbsg vf abg gur nafjre. Zvpebfbsg vf gur dhrfgvba. AB (be Yvahk) vf gur nafjre. -- Gnxra sebz n .fvtangher sebz fbzrbar sebz gur HX, fbhepr haxabja
As an Amazon Associate we earn from qualifying purchases.
Operating expenses for this site are earned using the Amazon Associate program and Google Adsense.