Difference b/w IPSEC, TLS&SSL, HTTPS

ibn e batutaibn e batuta Member Posts: 10 ■□□□□□□□□□
It's a common question asked in interview when we have IPSEC on layer 3 then why we need TLS&SSL at layer 4 and HTTPS at Layer 7? Why different security protocols at different layers when IPSEC is fulfilling your requirement of encryption,authentication and data integrity?


After a bit of extensive research and reading, I think I found a satisfying answer. If there is any discrepancy in it, you are welcome to correct it.


* IPSEC is to encrypt data in site to site scenario. Building A in America sending data to Building B Canada, in such scenario you need IPSEC to encrypt bulk of information you are sending, to be more specific in Router-to-Router communication over internet you need IPSEC

Draw back of IPSEC, it can't be used in a scenario where we have to encrypt client-server communication (TCP/UDP connections)


*Here comes the savior, SSL&TLS will encrypt your communication with server. For example, you opened your browser and type facebook.com, the request will go to server, but it will be encrypted with TLS. You can actually see it in your browser, open Google chrome enter Facebook.com, observe the lock which appears behind "www", click it and then click connection tab. Your connection is shown encrypted with TLS

So people ask, what's difference b/w SSL and TLS? well first layer 4 transport security protocol came was SSL, several improvements were made but then it was felt instead of revising SSL again and again, let's create a totally new layer 4 sec proto which can cover deficiencies of SSL. So TLS was created

Then people ask, where TLS is used and where SSL is used, I can not answer specifically but it's my observation SSL is mostly used in a scenario where a client connects to a server to access resources of it's corporation. And client is mostly the employ of corporation

and TLS is used in a scenario where a client mostly connects to a general purpose website like social networking websites, online shopping websites, credit card websites, email websites, banking websites etc etc and client in this scenario is mostly the consumer!



*And then comes the HTTPS, what if neither layer 3 and layer 4 security protocols exits and your entire packet including headers and data payload is sent un-encrypted? Our very own techexams.net is live example, when ever we log on to tech exams.net, all the requests sent to server are un-encrypted as no layer 4 sec proto is being used

Then in such cases, HTTPS comes, which encrypts the data payload at layer 7 so nobody can read your data.

But in practical world, HTTPS is not used as a standalone protocol. It will always be used with Layer 4 sec protocols, Not only your data payload being encrypted but also the entire packet with TLS/SSL

Comments

  • SecurityThroughObscuritySecurityThroughObscurity Member Posts: 212 ■■■□□□□□□□
    Draw back of IPSEC, it can't be used in a scenario where we have to encrypt client-server communication
    Remote-access IPsec solutions exist. For example, EasyVPN.
  • ibn e batutaibn e batuta Member Posts: 10 ■□□□□□□□□□
    But still it is connecting to a VPN router which then allows you to connect to a server or send bulk information to another remote site office. Easy VPN doesn't let you interact with server directly like clientless VPN (SSL)????


    To be precise, Remote-access IPsec still operates at layer 3 and is not encrypting TCP connections.
Sign In or Register to comment.