As the name suggests, a VPN (Virtual Private Network) forms a virtual network on top of an existing physical network. This can be the Internet or a company network, for example. You can think of the VPN as a tunnel through which your data travels. With the help of various encryption methods, there is a safeguard that protects this tunnel and the data transmitted in it from manipulation and eavesdropping attempts. VPN solutions therefore represent a central security level in IT, since all communication is secured via a VPN, regardless of whether the applications themselves encrypt or not.
A VPN can be implemented in different ways. This makes it possible to use just one piece of software to set up a VPN. This is useful, for example, for the simple setup of home office workstations. In certain scenarios, however, hardware solutions are preferred - for example when company networks are connected via a VPN, since a suitable infrastructure for implementation is usually already available. In addition, the chosen encryption method represents a significant difference between various VPN solutions. Two of the most common of these methods are Internet Protocol Security (IPsec) and SSL. Since both hardware and software VPN mostly use these encryption methods, we first want to clarify the major differences between these two variants.
The distinction between hardware VPN and software VPN can be made on several levels. Nowadays, the question is usually whether a dedicated device fulfills all VPN functions or whether it is a software solution that is simply installed on an existing server, for example.
Especially in the past, hardware VPN often meant that a special chipset performed the encryption and decryption, which can result in higher throughput rates. Depending on the bandwidth required, this process can cause a lot of load and thus influence or limit other processes on the platform used. The speed of the VPN itself can be severely limited as a result. Even if this problem is no longer the focus of modern hardware and, above all, processors, for example with crypto instruction set extensions, this is still quite relevant, depending on the application. For most routers and other appliances, e.g. B. from Cisco and Juniper, you can still find corresponding hardware modules that provide a different number of VPN tunnels and bandwidth depending on the model.
IPsec is actually a collection of protocols in which complete encryption of the data traffic taking place over it is achieved in two phases. In the first phase, authentication and encryption procedures are negotiated and then exchanged. Authentication is possible using an agreed shared key (“pre-shared keys”) or alternatively with a certificate. In the second phase, so-called security associations are created, which are used to protect the entire communication.
The configuration of IPsec is relatively complex and is therefore often prone to configuration errors. The use of IPsec behind NAT or operation via current Internet connections that no longer provide individual public IPv4 IP addresses for individual customers is also particularly challenging. Internet providers often provide many customers with just one IPv4 address (using the so-called "Carrier Grade NAT"). This operation in parallel ("dual stack") can make the use of IPsec completely impossible or lead to significant additional work when configuring the VPN.
Since Authentication Header (AH) or Encapsulating Security Payload (ESP) are used to ensure the authenticity and integrity of the transmitted data (both are protocols that are directly based on IP), use behind NAT is only possible with the help of solutions such as NAT -Traversal or IPsec passthrough possible. In order to implement this, a more extensive configuration is required on the routers involved.
An SSL VPN – or increasingly also referred to by the more modern term “TLS VPN” – makes it possible to set up a VPN via an encrypted TLS connection. A well-known example of such an SSL VPN solution is the open source software OpenVPN. In contrast to IPsec, this is free software that uses OpenSSL or mbed TLS for encryption. Depending on the application, TCP or UDP can be used to transport the data and the ports involved can be freely selected. This makes this type of VPN very flexible and versatile.
As with IPsec, pre-shared keys and certificates can be used for authentication. In addition to a routing mode on layer 3 of the OSI model, OpenVPN also offers a bridging mode, which can be used to send Ethernet frames. The use in a scenario in which the use of NAT is necessary is relatively easy to implement with OpenVPN, since only the corresponding ports of the selected protocol (TCP/UDP) have to be forwarded.
However, it should not go unmentioned that the remote station is happy to come up with the argument that this is the industry standard and because of security. As a result, however then used IKEv1, sent a preshared key via plaintext mail and took md5 as hash. In principle, old rancid parameters that have not had the status "safe" for a long time.
When configured correctly, both solutions offer strong encryption and thus security for the transmission of your data. The main differences are speed, complexity and compatibility. Due to the increased overhead of the protocol stack, IPsec is a little slower compared to, for example, SSL VPN like OpenVPN. In addition, the configuration is more extensive, so experience has shown that problems occur more frequently during setup. IPsec is supported on practically all client systems, mostly without additional software. Even on mobile devices, IPsec can usually be used without much effort. SSL VPN solutions, on the other hand, often require a client, which can lead to dependencies on certain operating systems.
In principle, it is not possible to give a general recommendation for one of the two solutions, since the respective application, the devices involved and other parameters must be taken into account. However, from the above, it can be concluded that IPsec should only be preferred if the remote station cannot do anything else. It is always better to try to use OpenVPN beforehand.
IPsec |
SSL- / TLS-VPN |
|||
|
+ |
Compatibility with virtually all end devices |
+ |
Very easy configuration |
|
|
+ |
Often does not require any post-installed software |
+ |
Is very fast |
|
|
+ |
Can be extensively configured or adapted |
+ |
NAT between the endpoints is less of a problem |
|
|
- |
Is more complicated in the configuration and possible troubleshooting |
- |
May be incompatible with specific end devices |
|
|
- |
Is a bit slower |
- |
Often requires an additional application on end devices |
|
|
- |
Can be problematic with NAT between the endpoints |
|||
|
- |
Effectively uses old parameters like IKEv1, a preshared key via plaintext mail and md5 as hash |