The following criteria are used to compare and contrast IPSEC and SSL: Interoperability, Authenticity, Security, and NAT traverse.
IPsec is used in various networking devices used today. Since it is the standard security protocol for IPv6, all IPv6 networking devices will need to use it, although some IPv4 devices are already using it. There are issues of interoperability because different vendors use different configuration. However devices can be modified in order to interoperate. Sometimes, installing IPsec may require the use of proprietary client software and this causes a problem of interoperability with other client softwares. Even when it is implemented on hardware, configuration has to be the same in order for two clients to communicate. All these interoperability issues arise due to IPsec not having a standard configuration and implementation method.
SSL on the other hand is interoperable among most web browsers and servers. This is because majority of web server vendors such as Microsoft, Netscape, and Apache use SSL. However, there are interoperability issues among proprietary applications that separately implement it. Furthermore, SSL is alot simpler and does not require client software to be installed on client devices or any hardware configuration. This reduces cost of maintenance and installation because a user can easily use an SSL connection without installing an application or worrying about interoperability. All these features make SSL very flexible.
IPsec uses digital certificate and secret key to authenticate. In a situation where there is no digital certificate, only secret key can be used. It only supports mutual authentication method whereby both parties authenticate each other before securing a connection.
SSL uses only digital certificate to authentic ate and supports three methods of authentication which include:
- Server authentication: Server authenticates itself to the client.
- Client authentication: Client authenticates itself to the server.
- Anonymous: None of the parties is authenticated.
IPsec's operation in the network layer enables it to work well with layers above. In IPsec multiple users are able to use a single tunnel connection to communicate between two end points. This lowers the overhead processing caused by individual connections.
SSL operates in the application layer. As a result, multiple users need to have individual connection and different encryption key used for each connection. This individual connection increases overhead processing.
IPsec provides an end-to-edge security. It grants access to client in such a way that the client is given privileges like a member of the internal network where the resources are located. In addition, only the connection between the client and edge of the network is secured, all data in the internal network is in plaintext (unsecure). This is a disadvantage because sensitive data can be intercepted and once a connection is compromised the entire communication across the network becomes compromised.
SSL provides an end-to-end security by establishing a secured tunnel between the client and the resources accessed. This ensures that all data on the internal network are authentic and encrypted. A major advantage of this type of connection is that once a connection is compromised, only that connection will be compromised on the entire network.
NAT TRAVERSE (NAT-T)
Network Address Translator (NAT) allows multiple clients on an internal network to use a single IP address in accessing the internet (public network). Since IPv4 is still in use and the limited number of IP address still posing a problem, NAT is used in most networks to manage IP address. This affects IPSec because it operates on the network layer, although IPSec was originally designed for use in IPv6 which expects every device to have its IP address. The reason for this problem is that IPSec authenticates the information in the IP datagram and when NAT changes some information such as port number and source IP address, the IP datagram will be rejected because it will fail authentication. This makes IPSec AH protocol completely unusable. On the other hand, IPSec ESP protocol is usable if both sides are configured using NAT-T. Further details on how it is done can be found in () SSL does not require NAT-T to operate or have issues with NAT because it is above the network layer. Hence it can be easily accessed remotely from any device without the need for IP reconfiguration, irrespective of the location.