c/cybersecurity is a community centered on the cybersecurity and information security profession. You can come here to discuss news, post something interesting, or just chat with others.
THE RULES
Instance Rules
Community Rules
If you ask someone to hack your "friends" socials you're just going to get banned so don't do that.
Learn about hacking
Other security-related communities [email protected] [email protected] [email protected] [email protected] [email protected]
Notable mention to [email protected]
Sure IPsec with IKEv2 is preferred, but SSL VPNs at least as a fallback will never go away unless it becomes commonplace for outbound firewall rules to allow udp/500 (which I don't ever see happening).
The way I'm set up is to have Windows AoVPN connect to my Fortigate w/ IPsec automatically. Then if that doesn't work due to outbound rules (which is more often lately than it used to be) and I need to connect back to HQ, I manually fire up Forticlient.
Does anyone know why SSL VPN is more insecure than ipsec-based VPN? Is there a technical reason?
From the article:
While the cybersecurity organization admits IPsec with IKEv2 isn't free of flaws, it believes switching to it would significantly reduce the attack surface for secure remote access incidents due to having reduced tolerance for configuration errors compared to SSLVPN.
Basically, every vendor has their own implementation of SSL VPN as there is no real standard, whereas IPsec is mostly vendor-agnostic. And you effectively need to keep an open web server to receive the client connections, making exploitable misconfigurations or vulnerabilities much more likely.
On the other hand IPsec has no real way to negotiate crypto parameters so those stay whatever you initially set up forever, even if those algorithms have known exploits or become insecure in other ways. Also, there are incompatible vendor versions of IPsec too.