[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] SSHv2 vs OpenVPN security

  • Subject: Re: [Openvpn-users] SSHv2 vs OpenVPN security
  • From: chosner@xxxxxxxxx
  • Date: Tue, 28 Dec 2004 19:32:50 -0500


I hear ya talkin'.  That is exactly the problem we have with most of the "SSL
VPN" market.  This is a perfect example.  People attach a certain level (the
highest) of security to the term "VPN", so all companies need to do to get
automatic credibility is say their product is a VPN, even if it doesn't do
network extension or client/server authentication, or any of the other
important things VPN's do.  This  exposes many companies to insecure products
and puts them up against "Hosner's Lament" -- The one thing worse than bad
security is bad security that creates the illusion of good security --   This
company you're dealing with is interested in an abstraction that represents
security, not security itself.  Oh well, job security I guess.


Quoting Mathias Sundman <mathias@xxxxxxxxxx>:

> On Tue, 28 Dec 2004, Charlie Hosner wrote:
> >> Given that both SSH and OpenVPN is configured to only accept RSA keys for
> >> authentication and strong encryption algoritms, is there anything in the
> >> SSHv2 protocol making it less or more secure than the OpenVPN protocol?
> >
> > I think you are asking about this from a crypto standpoint not
> > necessarily an application standpoint.  From a crypto standpoint, I would
> > have to say they are equivalent if you use an equivalent algorithm
> > combination.  SSHv2 uses DHE-SHA1(HMAC) for key
> > agreement, RSA for authentication, and whatever symmetric algorithm you
> > want.  It also swaps out session keys every hour for perfect forward
> > secrecy, just like OpenVPN (adjustable with ReKeyIntervalSeconds).  The
> > handshakes are remarkably (right is right I guess) similar.
> >
> > When you look at things from an application layer, it might not be quite
> > so simple.  You would need to run sshd as user/group nobody and chroot it
> > somewhere.  There is also the added security of TLS-auth that SSH
> > definitely doesn't have an equivalent to.
> >
> > I know Mathias is quite familiar with the functionality differences
> > between SSH and OpenVPN, and he is probably asking this because he has
> > some clever scheme in mind, but to keep from confusing future readers,
> > SSHv2 is not going to provide you with the simple network
> > extension people usually seek in a VPN.  You would have to direct traffic
> > over the SSH tunnel via port forwarding or some other magic and it would
> > take a good amount of work to get the kind of set up OpenVPN gives you
> > "out of the box".  SSHv2 is good for doing things one port at a time,
> > especially if your one port is 22 ;)
> Yes, you're right, I was only asking about this from a crypto standpoint.
> Me too prefer OpenVPN in most cases, but there are still some cases where
> SSH is preferable.
> The reason I asked was because I have a customer who is setting up a
> disaster recovery solution for a Solaris server, and simply needed shell
> access and a way to transfer files to the off-site backup machine. One
> user and one server -- can't be much easier, so I suggested to use SSH.
> However for some reason they did not accept SSH for securing this, but
> OpenVPN was okay. I clamed that SSH had the same level of security as both
> OpenVPN and IPSec (given it is correctly configured of cource), so I just
> wanted to make sure I was right about that...
> I'm fine with setting up OpenVPN to, so it's no problem, the customer gets
> what they what, I just find it a little overkill to use OpenVPN in this
> scenario, which is exactly what SSH was designed todo, but policies are
> policies! If I would have called it ssh-VPN instead of just ssh it would
> probably have been aproved ;-) VPN are good, other protocols can't be
> trusted!
> Cheers and Happy New Year from me to!
> --
> _____________________________________________________________
> Mathias Sundman                  (^)   ASCII Ribbon Campaign
> OpenVPN GUI for Windows           X    NO HTML/RTF in e-mail
> http://www.nilings.se/openvpn    / \   NO Word docs in e-mail
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://productguide.itmanagersjournal.com/
> _______________________________________________
> Openvpn-users mailing list
> Openvpn-users@xxxxxxxxxxxxxxxxxxxxx
> https://lists.sourceforge.net/lists/listinfo/openvpn-users

Openvpn-users mailing list