Slashdot Mirror

← Back to Stories (view on slashdot.org)

SSH or IPSec?

Posted by Cliff on from the choosing-the-right-encryption-technology dept.

shawngiese asks: "I'm looking for some feedback on which is the better way to make VPN connections - using SSHv2 or IPSec. My company apliware.com makes embedded linux firewalls here in Switzerland. Our next firmware will be coming out with SSH added to IPSec but during my tests I have noticed that the throughput of SSH is much faster when using the same ciphers. Is there any opinions on which has the better key exchange and also if the performance is better for SSH everywhere or just on our port/CPU? I assume since they both use the same ciphers that the data is as secure in one or the other. Of course IPSec offers full tunneling and encapsulation of more than just TCP but I can SSH through almost any NAT box and with the gain in throughput and many free clients for road warriors (even my Palm Pilot for terminal access) I wonder if SSH might not be the easier VPN than IPSec."

3 of 43 comments (clear)

  1. And the answer is... by PD · · Score: 4, Interesting

    ssh.

    As a consultant I've had to work with different remote access solutions, and everything except for ssh is a huge pain in the ass. Some of them don't work with anything but Windows, and most of them are too complicated for a large organization to figure out. If you're a big company and you don't want to frustrate your users, go with ssh. Otherwise, you're going to condemn everyone who wants to get hooked up to at least 4 weeks of phone call support hell.

    --
    If tits were wings it'd be flying around.
  2. Re:SSH is my preference by GigsVT · · Score: 2, Interesting

    What about the TCP over TCP avelanche problem that the CIPE guys like to talk about? Is that just something they made up to push CIPE?

    --
    I've had enough abrasive sigs. Kittens are cute and fuzzy.
  3. I prefer ssh by Fished · · Score: 2, Interesting

    I've had very poor experiences with IPSEC based products - they tend to be more or less flaky. Also, newer versions of ssh have the ability to run a SOCKS4 server (using the -D option) - I then point Mozilla at that (Chimera is my "regular" browser). Between that and X-windows/vnc, i can do everything i need to and don't have to have some nasty,proprietary client. (Furthermore, everything I need is included in the OS - which means I can get in from just about any computer, anywhere with a net connection.)

    --
    "He who would learn astronomy, and other recondite arts, let him go elsewhere. " -- John Calvin, commenting on Genesis 1