Are there any reasons for using SSL over IPSec?
is it recommended to use both protocols together? In which situation?
Sure. Say I am in a different country and don't want my internet traffic snooped on. I can use IPSec to tunnel the internet traffic back to a server in my home country. Once that traffic leaves that server in my home country it will no longer be encrypted. So I use SSL to connect to, for example, a web mail server.
I don't understand if you mean that from first country to my home the flow is encrypted with IPsec, and from my home to the mail server it is encrypted with SSL, or you mean that I use IPsec and SSL simultaneously from first country?
Well technically from the first country to your home the connection would be encrypted with IPSec and SSL. When it reaches your home country, IPSec is removed and only SSL remains.
There are different layers of secure transport to consider here:
- SSL VPN (including tunnels)
- IPSec VPN
- SSL/TLS for individual services
IPSec vs SSL VPNs
Both SSL and IPSec VPNs are good options, both with considerable security pedigree, although they may suit different applications.
IPsec VPNs operate at layer 3 (network), and in a typical deployment give full access to the local network (although access can be locked down via firewalls and some VPN servers support ACLs). This solution is therefore better suited to situations where you want remote clients to behave as if they were locally attached to the network, and is particularly good for site-to-site VPNs. IPSec VPNs also tend to require specific software supplied by the vendor, which is harder to maintain on end-user devices, and restricts usage of the VPN to managed devices.
SSL VPNs are often cited as being the preferred choice for remote access. They operate on layers 5 and 6, and in a typical deployment grant access to specific services based on the user's role, the most convenient of which are browser-based applications. It is usually easier to configure an SSL VPN with more granular control over access permissions, which can provide a more secure environment for remote access in some cases. Furthermore, SSL/TLS is inherently supported by modern devices, and can usually be deployed without the need for specialist client-side software, or with lightweight browser-based clients otherwise. These lightweight clients can often also run local checks to ensure that connecting machines meet certain requirements before they are granted access - a feature that would be much harder to achieve with IPSec.
In both cases one can be configured to achieve similar things as the other - SSL VPNs can be used to simply create a tunnel with full network access, and IPSec VPNs can be locked-down to specific services - however it is widely agreed that they are better suited to the above scenarios.
However, for exactly these reasons, many organisations will use a combination of both; often an IPSec VPN for site-to-site connections and SSL for remote access.
There are a number of references on the subject of SSL vs IPSec (some of these are directly from vendors):
In some of the above cases, such as IPSec VPNs and SSL VPN tunnels, you may not be getting end-to-end encryption with the actual service you're using. This is where using an additional layer of SSL/TLS comes in handy.
Say you're remote and trying to connect to an internally hosted web application via an IPSec VPN. If you use the HTTP protocol via your browser, your traffic is encrypted whilst it is running through the VPN tunnel itself, but it is then decrypted when it hits the remote VPN endpoint, and travels over the internal network in cleartext. This might be acceptable in some use cases, but in the interest of defence in depth, we ideally want to know that our data cannot be intercepted anywhere between you and the actual service itself. By connecting to this application over HTTPS, you effectively have two layers of security: one between you and the VPN endpoint, and another travelling through that (between you and the web server itself).
Of course, this is not limited to HTTPS - you should equally employ other secure protocols like SSH, FTPS, SMTP with STARTTLS etc etc.