I am a student currently learning networking concepts.
So from what I know and understand, HTTPS is used to encrypt traffic at application layer so if somebody intercepts it, that person will not be able to read it. IPSec is used to encrypt either a payload/data portion of IP packet (transport mode) or both header and data portions (tunnel mode).
here is my question: if we already encrypt data at application layer with HTTPS, why do we need to encrypt it again at the network layer with IPSec? correct me if I am wrong or maybe I do not properly understand concepts of HTTPS and IPSec.
One use case is that not all traffic is HTTPS.
Typical deployments of IPsec^1 are LAN to LAN and Client to LAN, thus forming an encrypted tunnel over some untrusted network like the Internet. Once the traffic exits the IPsec tunnel, it goes to its destination. It it is clear text it is unprotected.
Typical deployments of TLS^2 (you should not use nor refer to SSL except in a historical context) encrypts client to server and provides end to end protection (encryption and server authentication^3) regardless of the underlying network.
You want both because they perform different functions. If the “distance” between a client and server is 7 hops and there is an IPsec tunnel spanning 3 hops, web server TLS will protect the remaining 4 hops to the server.
-
You can deploy IPsec client to server and server to server but it’s rare. Windows supports this.
-
You can deploy TLS tunnels which function like an IPsec tunnel. This is more common than note #1.
-
TLS also supports mutual authentication using certificates, though it too is rare.
You don’t usually use IPSec in conjunction with HTTPS. For example you don’t go to gmail using an IPSec tunnel. HTTPS is to protect your login information, which is handled within the HTTPS header.
For IPSec, this is usually for VPNs (eg site to site VPNs). If one office speaks to another office via the internet, and you didn’t use IPSec, and just use GRE for example; then anything you send is not encrypted at layer 3. This means you could RDP to a server on 192.168.1.1 and someone could find out that you have a server of this IP with tcp 3389 open. Your AD login request would also be sent over the GRE tunnel, and then someone could sniff that traffic, and view in the IP and TCP header that you have an AD server on that IP. Additionally, it is also possible exploit a GRE tunnel.
We therefore use GRE over IPSec to hide this kind of data, and protect against some of the attacks available for GRE.
When you use HTTPS for a website, you are only trying to hide your login details and session ID. Where as on a site to site VPN, or remote-access VPN, you are trying to hide the layers 3 to 7 info about your company network .
Depends on what your goal is. HTTPS protects the transferred data, however it transmits the server hostname in the clear and does nothing to protect or hide DNS lookups.
SSL/TLS is built into most web browsers so it makes it easy to establish a secure connections between server and client. IPSec is not generally used between client and server because it usually requires more software and takes more configuration. IPSEC is normally used to connect remote sites instead. So if you’re running a site-to-site IPSEC tunnel, the traffic is being encrypted and decrypted by devices that probably aren’t the end hosts. You want to run HTTPS because you want full end to end secure communication, even if traversing an IPSEC tunnel. You wouldn’t do a client to server SSL connection, while also running a client to sever IPSEC connection. No need, and you’ll probably never see a client to sever IPSEC connection.
But almost any traffic used today can be encrypted without the need for IPSec, right? We have SSH, SFTP, SMTPS and so on.
Can you think of any example of traffic that is widely used by corporations today to exchange data, which would REQUIRE the use of IPSec?
This article nicely explains TLS and IPSec concepts. thanks
So basically IPSec creates a secure tunnel (VPN?) in which any type of traffic is encrypted (HTTP, telnet, VoIP etc.), correct? > whereas TLS is simply used to secure HTTP traffic between client and web server?
But I also heard that there are both IPSec VPNs and TLS VPNs. So it means that TLS can also be used to create secure tunnel in which any traffic is encrypted, right?
How would IPSec protect/hide DNS lookups?
SSL
Most modern browsers have completely dropped support for SSL in favor of only supporting TLS which came out 19 years ago.
Yeah you are right. A lot of it is, and can be. Even to the point of wireless authentication. You can use certificate based authentication & encrypt traffic between yourself and the wireless LAN controller. However site-to-site VPN’s typically use IPSec, because an SSL VPN isn’t available on most firewall platforms. On Cisco for example, you could only do a remote-access VPN using SSL certificates, but you couldn’t use SSL for a site-to-site VPN on a Cisco ASA.
The additional problem, is that each protocol you just talked about operates above layer 3. SSH is layer 7, SFTP is layer 7, SMTPS is layer 7. So you’re not encrypting your layer 3 information. Layer 3 info should only be known by the company, not the public. And if you are on the remote end of a tunnel, without IPSec, then relying on these encryption methods to hide the layer4+ info, then your L3 data is just public info. Yes, if you are at the same LOCATION as where these services are being hosted, and don’t need to use the internet to use them, then fine, that is OK to use without IPSec.
We have an IP phone system that does not support encryption. We either IPsec remote phones or we send audio and signalling in clear text.
Telnet. It just won’t die.
In common implementations, IPsec is used for network VPN. TLS is for client to server and sometimes network VPN.
TLS is a very flexible protocol that is used to secure lots of other protocols. TLS is used with SMTP, FTP, remote terminals, securing app to server traffic, VoIP. The list goes on.
IPsec is implemented in the server OS and can encrypt some or all traffic to and from the server and the applications on the server. Think of it as a hose. The IPsec protocol can support more granular policies, but those features are almost never implemented or used.
TLS is built into client and server applications, not the OS (including TLS VPN), so the traffic is protected all the up the server networking stack to the application which isolates that traffic inside the host.
Read my post, he’s not explained that very well at all. I know what he means, but it’s just a very poor explination.
SSH is layer 4, SFTP is layer 4, SMTPS is layer 4.
Really? Aren’t they at application layer?
I really do not understand why it is still used. That is why we have SSH
Yep, sorry layer 7. I was thinking of ports I was blocking on the firewall at the time lol. I will adjust my reply. I’m literally migrating about maybe 2k lines of access list from ASA code to firepower. All I can think of is ports.