SSH can also be configured with SPA (Single Packet Authentication) which makes it behave in a "stealthy" (I hate that term) fashion.
As for the argument, the only real weakness with SSH is that is configured to use passwords by default which lends itself to brute force attacks. This is mitigated by disabling passwords and using ssh keys (which means that the security of the private key is point of failure). When using SSH keys you have a public and private keys. A lot of the VPNs that I have seen use PSK (pre-shared keys) which are less secure and harder to manage. In addition to the above you could also use fail2ban to monitor repeated failures and/or use iptables to rate limit the number of connections. Essentially SSH is only less secure when it is configured to be less secure. It is very important that you know what VPN technology is being discussed. VPN is a pretty generic term with many implementations, the majority of which are insecure. Basically if your discussion partners are not specifically talking about IPSec or SSL (OpenVPN is an SSL style VPN) then they are full crap. SSH simply smokes older VPN technologies like PPTP and L2TP (recent successful attacks have rendered PPTP and L2TP as pretty much useless these days). It should also be noted that proprietary SSL VPNs may or may not be secure, it depends entirely on the implementation. One final note, rarely the choice is between SSH and a VPN. They are different technologies that solve different problems. SSH is a very robust and flexible tool so that it can often be made to do tasks that could also be accomplished by a dedicated VPN. The choice ultimately depends on the context of the problem being solved. At work we are moving to a custom built SSH solution due to the fragility of IPSec (routers and NAT devices do not always have IPSec passthrough enabled). On Fri, Oct 5, 2012 at 4:35 PM, Anand Singh <[email protected]> wrote: > My preference is to use OpenVPN because you're not exposing the remote > network directly since the tunnel is created on a virtual subnet that does > not exist on either the local or remote network. Another benefit is that > you can control which parts of the remote network you want to expose. For > example, If the remote LAN is configured on 10.0.0.0/22 and you want to > permit access to a file server or printers on 10.0.3.1/24, you can do > that without exposing servers on a different part of the subnet, which is > especially effective with VLANs. Revoking certificates from the OpenVPN > server is also easier to manage than revoking SSH certificates (you are > using cert auth, right?). OpenVPN also gives you control over whether you > want to allow local DNS, or to force all traffic including DNS through the > tunnel. OpenSSH will respond if someone guesses the listening port, unlike > OpenVPN which can be configured for stealthy operation even if you leave it > on the default port. > > Anand. > > On Fri, Oct 5, 2012 at 3:56 PM, caziz <[email protected]> wrote: > >> Hi All, >> >> I've been part of a debate where admins asserted that vpn is more secure >> than ssh. I don't get it and haven't found any good refs from my Google >> searches. >> >> Opinions? (Knowledgeable ones preferred). >> >> Thanks, >> Chris >> >> >> _______________________________________________ >> clug-talk mailing list >> [email protected] >> http://clug.ca/mailman/listinfo/clug-talk_clug.ca >> Mailing List Guidelines (http://clug.ca/ml_guidelines.php) >> **Please remove these lines when replying >> > > > _______________________________________________ > clug-talk mailing list > [email protected] > http://clug.ca/mailman/listinfo/clug-talk_clug.ca > Mailing List Guidelines (http://clug.ca/ml_guidelines.php) > **Please remove these lines when replying >
_______________________________________________ clug-talk mailing list [email protected] http://clug.ca/mailman/listinfo/clug-talk_clug.ca Mailing List Guidelines (http://clug.ca/ml_guidelines.php) **Please remove these lines when replying
