alamarco
o.O
join:2003-06-18
Windsor, ON
clubs:
|  VPN vs SSH
I'm wondering what type of encryption is used in VPN and SSH?
VPN has PPTP, L2TP, and IPSEC which I assume will have different levels of encryption? From what I understand IPSEC is the most secure level of VPN. Why is that? How does it compare to SSH encryption?
Most things I've found indicate that SSH is more useful when one wants to encrypt only certain applications because it will create less network overhead instead of having to encrypt the whole connection.
I've Googled a bit to find out this information, however that's all I've really came up with. |
|
Ryan
Premium
join:2001-03-03
Attleboro, MA
1 edit | Security wise, not really sure that either one has been proven to be better. Although someone might have more info on that one. I personally like ssh better esspecially when it comes to smaller enviroments such as small buisnesses or home networks. Like you said vpn encrypts every connection where ssh creates a secured tunnel.
What type of networking are you planning on using it with, or are you just looking for information? I personally choose ssh as I find it to be a more reliable connection esspecially where my upload speed is lacking. Like I said im not sure of the exact comparison of the security techniques, but i feel pretty secure with ssh encryption with a 4096 bit key  |
|
alamarco
o.O
join:2003-06-18
Windsor, ON
clubs:
| Right now I use an SSH tunnel when I'm away from home. I have it setup using a key (I think 4096 as well). I tend to encrypt all traffic through a series of tunnels which is why I think a VPN would be more convenient.
My problem is I don't know much about the VPN besides basics so I really have no background on what the best option would be. I'd rather learn more about VPN then be told just use VPN or just use SSH since my situation may change and knowing both technologies would allow me to reassess my own situation in the future. |
|
Ryan
Premium
join:2001-03-03
Attleboro, MA
1 edit | I just searched and found this page to have a good accurate comparison of the two. »www.geo.umn.edu/computer/ssh_vpn.html
Like stated on the page a vpn is more for access to multiple network resources. It encrypts all traffic until it passes through the vpn and is opened into the internal network as if you were sitting on a networked computer.
A ssh tunnel however directs you to a specific network resource and remains encrypted.
Again not sure how you are setup over there. What I do is I have a ssh server setup and also a proxy server. All web based communications i need encrypted to home goes through the one tunnel and directed to the proxy server. The other tunnel is created if I need to rdp into specific machines. |
|
jp10558
Premium
join:2005-06-24
Willseyville, NY | reply to alamarco
If you want easy VPN, look into Hamachi.cc from Logmein.
If you are willing to spend a little effort on it, OpenVPN is not that difficult to get going. |
|
alamarco
o.O
join:2003-06-18
Windsor, ON
clubs:
| reply to Ryan
Thanks for that link. Just finished going through with it and I think I understand VPN a little bit better. From my understanding now, a VPN will only encrypt traffic through the VPN connection and once you reach the VPN server it will decrypt the traffic. So a security concern would be a sniffer on the VPN server network.
As for as encryption goes the link didn't really explain much here. However when looking around at my VPN implementation I found the following information in the logs.
The main things I get from that is SHA1, AES256 and 1024 bit RSA. I'm pretty sure SSH uses more secure forms of encryption than this. So, unless I'm wrong, SSH would provide a more secure encryption protocol at the expense of slower speeds.
Am I right? Wrong? |
|
nwrickert
sand groper
Premium,MVM
join:2004-09-04
Geneva, IL | The chances are that SSH is using AES256, and probably RSA for the initial key exchange. |
|
Graycode
join:2006-04-17
 ·net2phone
| reply to alamarco
VPN makes my PC with its LAN IP appear like it's attached to the network on the other side of the VPN. That lets the network pass things like NetBios, UDP, and LAN broadcast packets if the VPN policy allows them. Generally a server that I'm communicating with in a VPN tunnel sees my LAN IP and that would be traceable back to the establishment of the VPN.
SSH tunnels issue network requests on behalf of my PC. A server that I'm communicating with via SSH tunnel sees the requests as originating from the IP of the SSH server. It can be more difficult to trace SSH tunnel activity back to the originating external PC.
VPN is a bit more flexible and allows for somewhat better logging and interior control where needed. IPSEC VPN can be difficult to set up. I think PPTP and L2TP are primarily Windows transport variants. SSH is easier to set up, yet it's more difficult to track or control its TCP usage within the target network.
As for the encryption methods, that depends on what's implemented and available on both ends. When measuring "bits", don't get confused about keys used to authenticate & establish a connection vs. what is used during content transport encryption.
There may be more in the »Virtual Private Networking forum. |
|
SoonerAl
Old Enough To Know Better
Premium,MVM
join:2002-07-23
Norman, OK
|  reply to alamarco
said by alamarco  :So, unless I'm wrong, SSH would provide a more secure encryption protocol at the expense of slower speeds. Am I right? Wrong? I get, or at least that is my perception, faster response when using a SSH tunnel to access shares (SFTP) on my SSH server versus using a PPTP VPN to access shares on the same machine when its setup as a PPTP VPN server. As always, YMMV...
--
"When all else fails, read the instructions..."
MS-MVP Windows Networking 2003-2007 |
|
Ryan
Premium
join:2001-03-03
Attleboro, MA
2 edits | Same with me SoonerAl, I get a noticeably faster connection with ssh then I do using a vpn because vpn needs more bandwidth. I looked around lastnight oldchemist and really there is no solid evidence that one is more secure then the other. Your really talking equal security and neither has been proved to be a more secure algorithm. Its like saying which fruit tastes better an apple or an orange, its really all a matter of opinion.
What really depends on security is your configuration key size and controlling who has access to these keys. SSH supports multiple encryption options. AES, Blowfish, RC4. AES is mostly used as long as you are using ssh2 and the encryption will be chosen based on your key size. Whichever method you choose VPN or SSH dont use passwords use keyfiles.
What you really need to look at is the functionality of both methods and decide which one fits your network best. If your only using a handful of computers stick with ssh as it is more responsive. If your connecting to more then a handful of different computers a vpn might be a better option as you wont have to add different tunnels for each connection. |
|
alamarco
o.O
join:2003-06-18
Windsor, ON
clubs:
| reply to nwrickert
nwrickert : You're right, just checked my SSH server. It's running RSA at 4096-bit key. I guess, looking at this the SSH would be a little bit stronger due to the key? Although I doubt this has much of an effect?
Graycode : Talking about setups of VPN/SSH, I'm running OpenVPN, which according to their website is an SSL type VPN. According to OpenVPN's website they say that TLS (latest version of SSL) is one of the strongest security protocols.
SoonerAl , Ryan : Yeah everywhere I see VPN being slower since it encrypts everything. Not sure why I posted that last comment as it doesn't make much sense.
I think I'll be able to experience the speeds myself on this upcoming Tuesday. This Thursday (tomorrow) I have two midterms so wont be able to test my connection away from home. Can't really test the speeds on my own network at home  . |
|
Epyon9283
Premium
join:2001-12-26
Dayton, NJ
| reply to alamarco
L2TP isn't encrypted. Its generally used in conjunction with IPSec. PPTP isn't necessarily encrypted either. It can be though using MPPE.
SSH can be used as a VPN on non-windows machines. »https://help.ubuntu.com/community/SSH_VPN |
|
Graycode
join:2006-04-17
·net2phone
| reply to alamarco
said by alamarco :It's running RSA at 4096-bit key. I guess, looking at this the SSH would be a little bit stronger due to the key? Although I doubt this has much of an effect? It's easy to confuse the methods for authentication with whatever encryption is done for the content after the connection is accepted & established. 4096-bit RSA is an authentication method.
The content encryption method is negotiated depending on what each side supports. Below is some C code definitions for SSH. I think most implementations do not (or should not) support 0 but even that seems to be an option.
|
|
Daniel
Premium,MVM
join:2000-06-26
Pleasanton, CA
clubs:
1 edit | reply to alamarco
Remember that the encryption of a connection isn't the only security consideration. You also need to think about how you are authenticating. So imagine that your company allows remote access from the Internet with 256-bit AES. That's good, right? Well, maybe not if you can create one of these tunnels into your network using a simple username and password. Consider two-factor authentication or a *very* strong security policy if passwords are used.
Basically, if it's easy to gain access to your remote access avenue then it doesn't really matter how secure it is once it's set up. Always remember to use as strong of an authentication system as possible in addition to using strong encryption.
Cheers,
-Daniel
--
dmiessler.com -- grep understanding knowledge |
|
alamarco
o.O
join:2003-06-18
Windsor, ON
clubs: | Thanks for the replies guys. I was in the state of mind that the encryption was for everything. Although now I understand that you need a strong authentication method as well as your strong encryption. |
|
