 RyanPremium
join:2001-03-03
Quincy, MA
1 edit | reply to alamarco
Re: VPN vs SSH I just searched and found this page to have a good accurate comparison of the two. »www.geo.umn.edu/computer/ssh_vpn.html
Like stated on the page a vpn is more for access to multiple network resources. It encrypts all traffic until it passes through the vpn and is opened into the internal network as if you were sitting on a networked computer.
A ssh tunnel however directs you to a specific network resource and remains encrypted.
Again not sure how you are setup over there. What I do is I have a ssh server setup and also a proxy server. All web based communications i need encrypted to home goes through the one tunnel and directed to the proxy server. The other tunnel is created if I need to rdp into specific machines. |
|
 alamarcoThe Amazing Spider-ManPremium
join:2003-06-18
Windsor, ON
 ·Cogeco Cable
| Thanks for that link. Just finished going through with it and I think I understand VPN a little bit better. From my understanding now, a VPN will only encrypt traffic through the VPN connection and once you reach the VPN server it will decrypt the traffic. So a security concern would be a sniffer on the VPN server network.
As for as encryption goes the link didn't really explain much here. However when looking around at my VPN implementation I found the following information in the logs.
Tue Nov 13 19:48:53 2007 Data Channel Encrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Nov 13 19:48:53 2007 Data Channel Encrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 13 19:48:53 2007 Data Channel Decrypt: Cipher 'BF-CBC' initialized with 128 bit key
Tue Nov 13 19:48:53 2007 Data Channel Decrypt: Using 160 bit message hash 'SHA1' for HMAC authentication
Tue Nov 13 19:48:53 2007 Control Channel: TLSv1, cipher TLSv1/SSLv3 DHE-RSA-AES256-SHA, 1024 bit RSA
The main things I get from that is SHA1, AES256 and 1024 bit RSA. I'm pretty sure SSH uses more secure forms of encryption than this. So, unless I'm wrong, SSH would provide a more secure encryption protocol at the expense of slower speeds.
Am I right? Wrong? |
|
 nwrickertsand groperPremium,MVM
join:2004-09-04
Geneva, IL
kudos:7 | The chances are that SSH is using AES256, and probably RSA for the initial key exchange. |
|
 SoonerAlOld enough to know betterPremium,MVM
join:2002-07-23
Norman, OK
kudos:5 | reply to alamarco
said by alamarco:So, unless I'm wrong, SSH would provide a more secure encryption protocol at the expense of slower speeds. Am I right? Wrong? I get, or at least that is my perception, faster response when using a SSH tunnel to access shares (SFTP) on my SSH server versus using a PPTP VPN to access shares on the same machine when its setup as a PPTP VPN server. As always, YMMV...
--
"When all else fails, read the instructions..."
MS-MVP Windows Networking 2003-2007 |
|
RyanPremium
join:2001-03-03
Quincy, MA
2 edits | Same with me SoonerAl, I get a noticeably faster connection with ssh then I do using a vpn because vpn needs more bandwidth. I looked around lastnight oldchemist and really there is no solid evidence that one is more secure then the other. Your really talking equal security and neither has been proved to be a more secure algorithm. Its like saying which fruit tastes better an apple or an orange, its really all a matter of opinion.
What really depends on security is your configuration key size and controlling who has access to these keys. SSH supports multiple encryption options. AES, Blowfish, RC4. AES is mostly used as long as you are using ssh2 and the encryption will be chosen based on your key size. Whichever method you choose VPN or SSH dont use passwords use keyfiles.
What you really need to look at is the functionality of both methods and decide which one fits your network best. If your only using a handful of computers stick with ssh as it is more responsive. If your connecting to more then a handful of different computers a vpn might be a better option as you wont have to add different tunnels for each connection. |
|
alamarcoThe Amazing Spider-ManPremium
join:2003-06-18
Windsor, ON Reviews:
·Cogeco Cable
| reply to nwrickert
nwrickert  : You're right, just checked my SSH server. It's running RSA at 4096-bit key. I guess, looking at this the SSH would be a little bit stronger due to the key? Although I doubt this has much of an effect?
Graycode : Talking about setups of VPN/SSH, I'm running OpenVPN, which according to their website is an SSL type VPN. According to OpenVPN's website they say that TLS (latest version of SSL) is one of the strongest security protocols.
SoonerAl , Ryan : Yeah everywhere I see VPN being slower since it encrypts everything. Not sure why I posted that last comment as it doesn't make much sense.
I think I'll be able to experience the speeds myself on this upcoming Tuesday. This Thursday (tomorrow) I have two midterms so wont be able to test my connection away from home. Can't really test the speeds on my own network at home  . |
|
Reviews:
 ·net2phone
| said by alamarco:It's running RSA at 4096-bit key. I guess, looking at this the SSH would be a little bit stronger due to the key? Although I doubt this has much of an effect? It's easy to confuse the methods for authentication with whatever encryption is done for the content after the connection is accepted & established. 4096-bit RSA is an authentication method.
The content encryption method is negotiated depending on what each side supports. Below is some C code definitions for SSH. I think most implementations do not (or should not) support 0 but even that seems to be an option.
#define SSH_CIPHER_NONE 0 /* no encryption */
#define SSH_CIPHER_IDEA 1 /* IDEA CFB */
#define SSH_CIPHER_DES 2 /* DES CBC */
#define SSH_CIPHER_3DES 3 /* 3DES CBC */
#define SSH_CIPHER_BROKEN_TSS 4 /* TRI's Simple Stream encryption CBC */
#define SSH_CIPHER_BROKEN_RC4 5 /* Alleged RC4 */
#define SSH_CIPHER_BLOWFISH 6
#define SSH_CIPHER_RESERVED 7
|
|
