SSH vs. VPN
VPN Definition
An IP-based Virtual Private Network (VPN) provides a secure tunnel for transmitting data through an
unsecured network such as the Internet. There are several protocols that can be used to achieve this such as PPTP, L2TP,
L2F, IPSEC etc. IPSEC is the only protocol that is an IETF standard. A VPN is “virtual” because it does not require
dedicated lines. It is “private” because encryption is used to achieve security. It also uses an IP “network” for
communication.
VPN Example
If remote employees wanted to access to their corporate network before VPN existed, a remote office may
use a dedicated lease line (such as a T1) and telecommuters would most likely have to use a dial up connection to call a
modem bank (remote access switch) at the corporate HQ. Both these methods can be expensive and are not as secure as a VPN.
A typical VPN application provides a secure tunnel at the edge of a network so that remote/branch offices
or telecommuters can use the Internet to access corporate resources securely. Network edge devices that provide VPN support
are switches, routers, and firewalls. This equipment may reside in an enterprise, and therefore would be managed by the
company’s IT Department or by a Service Provider such as an ISP. The benefit of having service providers manage the VPN for
their corporate customers is that they provide service level agreements (SLA) which guarantee a pre-defined level of
performance. Some corporations want SLAs because the performance of the Internet is unpredictable. A guaranteed level of
performance may be needed for critical applications such as streaming video.
VPN Benefits
- Security – it encrypts all data in the VPN tunnel
- Cost savings– an organization can take advantage of the ubiquitous nature of the Internet. A branch
office or telecommuter accesses data at corporate headquarters from any location worldwide inexpensively via a connection
to their local service provider. Costly long distance changes via dial up or leased lines are not needed for organizations
that use VPN by tunneling data securely through the Internet.
VPN Disadvantages
- Standards/Interoperability – although IPSEC is the IETF standard protocol for VPN, many companies do
not support it such as Microsoft. As a result, the same equipment must be used at both ends of the tunnel to ensure
interoperability.
- Difficult to set-up and manage – remote clients need to be configured with the right security
parameters. Additionally, the secure tunnels between the client and tunnel must be integrated with the firewall (which
support NAT). VPN do not easily inter-operate with NAT devices because NAT uses private IP addresses that VPN devices do
not recognize.
- All traffic over the VNP is encrypted, regardless of need. This can potentially cause bottlenecks since
encrypting data creates network overhead.
VPN and SSH
SSH also provides secure communication for transmitting data through an unsecured network such as the
Internet. Even though VPN and SSH perform the same basic function (secure communications between the remote office or
telecommuter communication with corporate HQ), there are some differences between them. The major difference is that SSH is
an application layer protocol and VPN (IPSEC) is an IP layer solution. This means that one protocol maybe more appropriate
to use than the other; depending on what you are trying to achieve.
- Point to point communication – if you have very specific point to point secure communication
requirement, then SSH would be the better solution. For example, in figure 2, a manager working remotely needs to transfer
confidential documents to and from a corporate server. This corporate server can only be accessed via the server that is
connected to the Internet. Since the information being transmitted is confidential, the manager wants protection on both
public network and the internal corporate network. SSH client/server model can encrypt the data from one point to another
point easily. A VPN using IPSEC would most likely be available to this manager only on the Internet, not on the internal
corporate network. The reason a corporation would not implement a VPN using IPSEC internally is because the requirement
for sending confidential information only applied to this one manager sending a few documents over the internal network.
Not everyone communicating on the internal corporate network has this requirement. Given this requirement, the extra
administrative cost for implementing VPN for all employees would not be worth it.
- Security for specific applications – SSH can encrypt any application for the duration of a session
provided the application has a known port. Applications that meet this criterion include e-mail, database connections,
printing symbiont and more. The advantage to encrypting only some applications is that is that it reduces the potential of
creating unnecessary network overhead associated with encrypting all applications as done with VPN.
VPN and SSH are not mutually exclusive in a network. A network manager may have a need to implement both.
For example, if a VPN has been implemented in an organization, then it is most likely located only at the edge of the
network. Therefore, there is only secure communication over the Internet. A SSH client/server solution can be implement in
conjunction with the VPN in order to have security on the internal corporate network, for:
- Communication of some (not all) information considered confidential
- Only used by several (not all) employees
- Additional security over the Internet
Common Sales Objections to SSH
1. Objection - I use VPN now, why do I need SSH?
Response – Where is your VPN located? What and when do you need to protect your data? Your data is most
likely only protected over the Internet if you are using a VPN. Do you need to protect files, data or e-mail on your
internal network or any place other than the Internet? HR or finance might want to send sensitive financial or employee
information to each other. This information should always be protected even on the internal network.
2. Objection - VPN are more widely used than SSH, therefore we will most likely use VPN.
Response – There is an IETF standard protocol that is used for VPN called IPSEC, but it is not widely
implemented yet. SSH protocol version 2 is also becoming an IETF standard and it is also widely used now. You do not have to
use one security technique over another, it depends on what you are trying to accomplish.
- What applications do you need to encrypt. If you only need to encrypt Telnet, e-mail or database look
up connections and not anything else, then SSH can do it more efficiently. If all applications need to be encrypted over
the Internet then VPN would be more appropriate.
- Who uses them and where? Does HR, Finance and the IT department need to transfer files securely on the
internal or external network, but not sales and marketing? SSH would be more appropriate for specific point to point
communication on the internal or external network.
- How often do you need to encrypt the application? If only some Telnet (or other application) sessions
need to be encrypted and not others, then SSH will address your requirement.
3. Objection - I do not use Telnet, therefore I do not need SSH.
Response – Which applications do you need to secure? SSH provides security to any application provided it
has a known port such as database connections, printing symbionts, X-11 display, e-mail and more.
4. Objection - I do not need SSH, I only Telnet/FTP internally – behind the firewall.
Response – Many of our customers need to communicate securely behind the firewall. For example, one of our
customers transfers patient data from one location to another and they use SSH because 1. firewalls are not 100% secure and
2. they do not want an unauthorized employee from their organization accessing this information.
Courtesy of Process Software
|
