by replay I meant about fragmented packets and lost of packet due to MTU sizes 
and having to be re-sent, I used the wrong terminology. 
On Oct 19, 2010, at 10:05 PM, Butturini, Russell wrote:

> What kind of replay problems Carlos? Last time I checked ESP contained 
> anti-replay controls that solved this issue.  Are there new attacks? Would 
> love to hear more.
> 
> One of the great things with IPSec in tunnel mode is that you can 
> pre-classify the traffic with QoS markings before encryption, and then have 
> these values copied to the post encapsulated header (great for softphones 
> etc.).  There's not a lot of flexibility for this with SSL VPN, at least in 
> the appliances I've seen on the market.  Our experience has been too that you 
> need to scale up more to support SSL, IPSec clients tend to be less resource 
> intensive, but a lot of that depends on the encryption algorithms in use.
> 
> We're sticking with IPSec for now.   It's tried and true and we have no 
> reason to change.  
> 
> -----Original Message-----
> From: [email protected] 
> [mailto:[email protected]] On Behalf Of Carlos Perez
> Sent: Tuesday, October 19, 2010 8:37 PM
> To: PaulDotCom Security Weekly Mailing List
> Cc: [email protected]
> Subject: Re: [Pauldotcom] SSL vs IPSec VPNs
> 
> SSL Strip does not work on a full SSL VPN, I have tried ;), I would say it 
> depends on the traffic, amount of traffic and how time sensitive is that 
> traffic. SSL over UDP gives the best performance but you have a big pain of 
> certs and cert validation to minimize the attack surface, on the IPSEC 
> depending on the implementation you can get the most compatibility for 
> different client types but on high traffic with time sensitive traffic you 
> will get fragmentation and possible replay problems. There are a lot more 
> pros and cons but after 5 days of hospital I'm bone tired from sleeping on a 
> chair, when I get coffee in me in the morning I will try to expand on the 
> points.
> 
> Cheers,
> Carlos
> 
> On Oct 19, 2010, at 9:41 AM, Michael Douglas wrote:
> 
>> Hey all,
>> 
>> I'm trying to determine what protocols should be permitted on a new
>> VPN concentrator.
>> 
>> I'd like to stick with IPSec, it's tried and true, and to quote Garth:
>> "We fear change".  However, it seems that all the vendors are going
>> down the SSL route.  Now I know SSL is 'safe', but it seems like it's
>> more open to attacks like SSLStrip (thanks again Moxie for making us
>> aware of the problems!)  I get that SSL is easier for administrators
>> and end users alike, but is that convenience at too high a cost?
>> 
>> So what are your thoughts?  Am I being too paranoid?  If there are
>> articles or places where I should RTFM, that's cool... I just need to
>> know what FM to read!!  Please send the links/info  ;-)
>> 
>> 
>> Thanks for your input, and have a nice day!
>> - Mick
>> _______________________________________________
>> Pauldotcom mailing list
>> [email protected]
>> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>> Main Web Site: http://pauldotcom.com
> 
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
> 
> 
> ******************************************************************************
> This email contains confidential and proprietary information and is not to be 
> used or disclosed to anyone other than the named recipient of this email, 
> and is to be used only for the intended purpose of this communication.
> ******************************************************************************
> _______________________________________________
> Pauldotcom mailing list
> [email protected]
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com

_______________________________________________
Pauldotcom mailing list
[email protected]
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

Reply via email to