Is the VPN encryption stronger than TLS

SSL VPN

SSL VPN is a type of remote access VPN that is an alternative to IPsec. While most VPN techniques can be relatively complex and error-prone, SSL VPN can get through any firewall and network. Because SSL-VPN is based on the SSL or TLS standards, the term SSL-VPN was formed from this.
SSL or SSL-VPN cannot handle tunneling and is therefore only suitable for remote access or extranet applications. SSL-VPN is rather unsuitable for networking locations. It would be very awkward to set up.

How SSL VPN works


With an SSL VPN, a browser is usually the VPN client that runs on the client computer. The data is transferred from the browser to an HTTP server (web server), which serves as a VPN gateway, using HTTPS. HTTPS is built into every browser and works practically anywhere. Even through a firewall or a NAT router.
In order to be able to transfer data from outside the browser, a plug-in, Java applet or an ActiveX component is executed inside the browser, which serves as a gateway and which redirects the data via the encrypted connection.

Browser-based

A typical SSL VPN is a browser-based SSL VPN. All you need is a browser that masters SSL / TLS and a web server with the appropriate implementation. The connection is handled via HTTPS requests and responses between the browser and the server. In contrast to HTTP, the connection with HTTPS is encrypted.
However, there are no advantages to this type of VPN. No services outside of the browser, such as e-mail or file servers, can be used. This would require a web front end, such as a webmailer that runs in the browser.
In principle, access to a webmail service, as offered by various Internet service providers, is a browser-based SSL VPN.

Client-based

There are VPN clients that can also use SSL VPN. Often used as a backup solution when a connection with IPsec or other VPN protocols is not possible. For example, because a firewall is blocking the connection.
After a successful connection with SSL-VPN, the VPN client sounds as usual as an additional network interface in the operating system.

Enhanced browser-based

With client-based SSL-VPNs you have to install a client in any case, whereby the advantages of a client-less VPN are no longer given. In comparison, a lot is not possible with a purely browser-based SSL VPN. That is why client-based and browser-based SSL-VPN are combined with one another.
To do this, you set up an HTTPS connection to a server or gateway using your browser. HTTPS is built into every browser and works practically anywhere. Even through a firewall or NAT router. The browser automatically downloads a Java or ActiveX application from the server or gateway. This application is executed by the browser and works as a TCP / UDP gateway to redirect the VPN connections via the browser.
This procedure only works to a limited extent on mobile devices because external applications cannot be executed in their browser.

How secure is SSL VPN?

SSL is made for online banking and eCommerce. Here you benefit from the use regardless of location and software equipment. Customers only need an SSL / TLS-enabled browser. SSL-VPN works from almost every computer that has internet access. And that too, with an insecure computer. For some use cases this is not safe enough. SSL / TLS does not support tunnels, which is actually a prerequisite for a secure VPN.

Basically, there is nothing wrong with securing VPN connections with SSL / TLS, if you take into account that the authentication of SSL / TLS is inadequate. It becomes more secure if you do not rely on the prevailing faulty CA model, but use self-issued certificates. Whereby you have to live with the effort of certificate administration.
You also have to take into account that the browsers that are "misused" as VPN clients may have security gaps or contain a faulty SSL implementation.
Another, possibly critical point, SSL only encrypts the data at the application level, but not all communication. This means that the establishment of the connection is unencrypted, the encryption is negotiated and only then is the data encrypted. It cannot be compared with the security that an IPsec solution promises. However, many encryption, key generation and hash processes are used in SSL, which are also used in the IPsec and IKE protocol.

Before using SSL-VPN, you should therefore check whether SSL / TLS is secure enough for the desired application. If necessary, the SSL data traffic must also be controlled by a firewall and the connection options restricted.

Comparison: IPsec and SSL-VPN

IPsec and SSL cannot be compared directly with one another. Their orientation and purpose are too different for that.
IPsec works on the network level in a way that is transparent to the infrastructure and applications. In contrast, an SSL-VPN works just as transparently in terms of infrastructure but application-related between the transport and application level. Usually, an SSL VPN is quicker to set up. There are fewer connection problems during operation.

The great advantage of SSL-VPN is that the installation of a VPN client is not absolutely necessary. All you need is an SSL-compatible browser and support for Java or ActiveX. Either of them shouldn't be a problem on a standard PC. Java applets in particular work independently of the browser and operating system.
SSL-VPN does not leave any traces on the computer either. Nevertheless, third-party computers are taboo if the security requirements are high. Then you shouldn't provide an SSL VPN. With outdated browsers, nobody can really guarantee a high level of security.

IPsec protects the entire connection and allows access only from devices and networks that are authorized to do so. With IPsec it is easier to enforce security guidelines and prevent attempted attacks than with SSL-VPN. IPsec is suitable for networking and SSL / TLS for secure Internet transactions.
However, SSL can be used as a supplement to IPsec. A VPN solution with IPsec AND SSL, ideally with a single user administration, offers the greatest possible flexibility and can thus cover every application scenario. The weaknesses of the two protocols are very well balanced in an overall solution.

Replacing an IPsec installation with an SSL VPN is rarely a good idea. As a rule, SSL-VPN cannot replace IPsec, but it can supplement it with comparable security functions at the application level.

Overview: VPN technology and protocols

Other related topics:

Product recommendations

Everything you need to know about communication technology.

Communication technology primer

The communication technology primer is a book about the basics of communication technology, transmission technology, networks, radio technology, mobile communications, broadband technology and Voice over IP.

I want that!

Everything you need to know about communication technology.

Communication technology primer

The communication technology primer is a book about the basics of communication technology, transmission technology, networks, radio technology, mobile communications, broadband technology and Voice over IP.

I want that!