SSL versus IPSEC is a common discussion topic.
A sad reality shows that most of attacks come from inside any organisation while most of protection effort is done on the outside. A good practice consists to force the use of transparent proxy for all outgoing traffic beside of ssl and to block any incoming traffic and port redirect the absolute minimum (HTTP, HTTPS, SSL, SMTP, NTP, OpenVPN).
At fridu.org we have selected SSL against IPSEC for it's ability to work through Dynamic DNS, NAT and Proxy devices. In the real world of small configurations you rarely have a direct access to the Internet.
- The internet access delivered by your DSL provider will unlikely be on a fixed IP address, forcing you to get a DynDNS.
- It's more than likely that when you road from a hotel, your Internet connexion will be offered via a Network Address Translation (NAT).
- If you setup your VPN to connect to your home server from the office, you will likely be required to work through a HTTP Proxy.
In SSL based VPN the security level will be influenced by :
- The key management policy. At fridu.org, we have selected a Public Key Infrastructure (PKI),with a self certification for cost reason.
- Your firewall configuration for incoming and out going traffic
- Your authentication process.
The principle described in our wiki page will guide you through the creation of PKI using the easy-rsa took kit. Easy-rsa is only a set of script running openssl commands, but it will make you like easy.
We will set a Certificate Authority which will create and distribute all keys. The distribution method is up to you and the level of required security will depend of your businesses. Encrypted email with a shared secret passed over the phone (GSM if you are paranoid), scp/sftp file transfer or direct copy during a site visit, should be enough for standard businesses. At fridu.org, we use sftp.
If you want to know more on various alternatives, you can visit OpenVPN.
