Options
Difference b/w IPSEC, TLS&SSL, HTTPS
ibn e batuta
Member Posts: 10 ■□□□□□□□□□
It's a common question asked in interview when we have IPSEC on layer 3 then why we need TLS&SSL at layer 4 and HTTPS at Layer 7? Why different security protocols at different layers when IPSEC is fulfilling your requirement of encryption,authentication and data integrity?
After a bit of extensive research and reading, I think I found a satisfying answer. If there is any discrepancy in it, you are welcome to correct it.
* IPSEC is to encrypt data in site to site scenario. Building A in America sending data to Building B Canada, in such scenario you need IPSEC to encrypt bulk of information you are sending, to be more specific in Router-to-Router communication over internet you need IPSEC
Draw back of IPSEC, it can't be used in a scenario where we have to encrypt client-server communication (TCP/UDP connections)
*Here comes the savior, SSL&TLS will encrypt your communication with server. For example, you opened your browser and type facebook.com, the request will go to server, but it will be encrypted with TLS. You can actually see it in your browser, open Google chrome enter Facebook.com, observe the lock which appears behind "www", click it and then click connection tab. Your connection is shown encrypted with TLS
So people ask, what's difference b/w SSL and TLS? well first layer 4 transport security protocol came was SSL, several improvements were made but then it was felt instead of revising SSL again and again, let's create a totally new layer 4 sec proto which can cover deficiencies of SSL. So TLS was created
Then people ask, where TLS is used and where SSL is used, I can not answer specifically but it's my observation SSL is mostly used in a scenario where a client connects to a server to access resources of it's corporation. And client is mostly the employ of corporation
and TLS is used in a scenario where a client mostly connects to a general purpose website like social networking websites, online shopping websites, credit card websites, email websites, banking websites etc etc and client in this scenario is mostly the consumer!
*And then comes the HTTPS, what if neither layer 3 and layer 4 security protocols exits and your entire packet including headers and data payload is sent un-encrypted? Our very own techexams.net is live example, when ever we log on to tech exams.net, all the requests sent to server are un-encrypted as no layer 4 sec proto is being used
Then in such cases, HTTPS comes, which encrypts the data payload at layer 7 so nobody can read your data.
But in practical world, HTTPS is not used as a standalone protocol. It will always be used with Layer 4 sec protocols, Not only your data payload being encrypted but also the entire packet with TLS/SSL
After a bit of extensive research and reading, I think I found a satisfying answer. If there is any discrepancy in it, you are welcome to correct it.
* IPSEC is to encrypt data in site to site scenario. Building A in America sending data to Building B Canada, in such scenario you need IPSEC to encrypt bulk of information you are sending, to be more specific in Router-to-Router communication over internet you need IPSEC
Draw back of IPSEC, it can't be used in a scenario where we have to encrypt client-server communication (TCP/UDP connections)
*Here comes the savior, SSL&TLS will encrypt your communication with server. For example, you opened your browser and type facebook.com, the request will go to server, but it will be encrypted with TLS. You can actually see it in your browser, open Google chrome enter Facebook.com, observe the lock which appears behind "www", click it and then click connection tab. Your connection is shown encrypted with TLS
So people ask, what's difference b/w SSL and TLS? well first layer 4 transport security protocol came was SSL, several improvements were made but then it was felt instead of revising SSL again and again, let's create a totally new layer 4 sec proto which can cover deficiencies of SSL. So TLS was created
Then people ask, where TLS is used and where SSL is used, I can not answer specifically but it's my observation SSL is mostly used in a scenario where a client connects to a server to access resources of it's corporation. And client is mostly the employ of corporation
and TLS is used in a scenario where a client mostly connects to a general purpose website like social networking websites, online shopping websites, credit card websites, email websites, banking websites etc etc and client in this scenario is mostly the consumer!
*And then comes the HTTPS, what if neither layer 3 and layer 4 security protocols exits and your entire packet including headers and data payload is sent un-encrypted? Our very own techexams.net is live example, when ever we log on to tech exams.net, all the requests sent to server are un-encrypted as no layer 4 sec proto is being used
Then in such cases, HTTPS comes, which encrypts the data payload at layer 7 so nobody can read your data.
But in practical world, HTTPS is not used as a standalone protocol. It will always be used with Layer 4 sec protocols, Not only your data payload being encrypted but also the entire packet with TLS/SSL
Comments
-
OptionsSecurityThroughObscurity
Member Posts: 212 ■■■□□□□□□□
Remote-access IPsec solutions exist. For example, EasyVPN.ibn e batuta wrote: »Draw back of IPSEC, it can't be used in a scenario where we have to encrypt client-server communication -
Optionsibn e batuta
Member Posts: 10 ■□□□□□□□□□
But still it is connecting to a VPN router which then allows you to connect to a server or send bulk information to another remote site office. Easy VPN doesn't let you interact with server directly like clientless VPN (SSL)????
To be precise, Remote-access IPsec still operates at layer 3 and is not encrypting TCP connections.