Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSH or IPSec?

Posted by Cliff on from the choosing-the-right-encryption-technology dept.

shawngiese asks: "I'm looking for some feedback on which is the better way to make VPN connections - using SSHv2 or IPSec. My company apliware.com makes embedded linux firewalls here in Switzerland. Our next firmware will be coming out with SSH added to IPSec but during my tests I have noticed that the throughput of SSH is much faster when using the same ciphers. Is there any opinions on which has the better key exchange and also if the performance is better for SSH everywhere or just on our port/CPU? I assume since they both use the same ciphers that the data is as secure in one or the other. Of course IPSec offers full tunneling and encapsulation of more than just TCP but I can SSH through almost any NAT box and with the gain in throughput and many free clients for road warriors (even my Palm Pilot for terminal access) I wonder if SSH might not be the easier VPN than IPSec."

2 of 43 comments (clear)

  1. depends on what OS your clients are running by Anonymous Coward · · Score: 2, Insightful

    From what I can see if it is Windows, you'll probably have an easier time deploying ipsec. In the land of unix, ssh is sanctum. Sure, there are putty and its workalikes to bring ssh to Windows, but to ask a Windows user to call putty a VPN is asking for trouble.

  2. And never use a VPN when.... by Brian+Hatch · · Score: 3, Insightful
    Never use a VPN when a single SSH or SSL connection will do.

    SSH can tunnel any number of ports along with the actual login stream, so you could have multiple ports on your local box that get tunneled through the secure connection. Say your SSH session terminates (through a firewall) to a box on the corporate LAN, and you tunnel IMAP, MySQL, and Squid. Point mutt and mysql to localhost, and point your browser to localhost as a proxy. Voila - you have secure access, no special software required.

    Stunnel can do the same thing, and is often faster because it only does the tunneling, and it doesn't need to transmit them all within the same single connection. Stunnel 4.x can handle multiple ports in separate threads like magic. End result though is that you can map the ports/services you actually require, and only those bits are open. Yes, it's not a VPN (unless you want PPP over SSH/SSL, see my comment below), but in most cases you don't need one.

    (Weird coincidence: I'll be giving a talk wednesday at real world linux about this very topic, and will be putting up the presentation when I get back. If anyone else is braving SARS in Toronto, stop by and say hi.)