What is the difference between VPN with CA issued keys and SSL with CA issued keys. When do I use one vs the other? I know SSL is used on web sites for secured transactions and usually VPNs are for point to point between company subsidiaries or vendors. I will appreciate some comparative info on the technologies.
Thanks and regards.
This is a great question. Although both these applications employ exactly the same basic technologies, the use of digital certificates for SSL/web site access and VPNs differs greatly.
In most web/SSL environments, certificates are used to authenticate the web site to the end user, but not vice versa. For example, when you log into your home banking application, the web site provides the browser a digital certificate to ensure that you're really connected to the bank, not some bogus web site. On the other hand, you most likely authenticate using an ID and password combination. So, this is a one-way certificate based authentication and is quite popular. Because the certificate is used on the server side, not the client side, the implementation is fairly inexpensive and simple. You only need one certificate regardless of the number of users. This is a great solution for a casual access or business-to-consumer environment.
With a VPN, the use of certificates is designed guarantee the authenticity of the servers (gateways) and the users within a well-defined formal group. As such, things get much more complex pretty quickly. The network administrator needs a system that lets him or her distribute, maintain and revoke certificates for every user and every gateway in the VPN. Certificates provide great security, but in a VPN, they also require planning, system implementation and ongoing management.
Depending on the size of your implementation, you may decide to install and operate your own certificate authority (such as those available from Entrust and Baltimore technologies) or you may decide you use a public key infrastructure service available from companies like VeriSign. The former require people on staff who know how to manage them and some upfront capital investment, the latter is pretty straight forward to use, but certificates can run you $300 to $400 per year per user or system.
Because of the expense and/or labor costs of certificate-based authentication, many VPN implementers have opted to use simpler albeit less secure authentication techniques. These include pre-shared secrets (essentially a secret code installed on each devices), ID and password (that guarantees the end-user ID, but not necessarily the server ID), RADIUS and LDAP. Unfortunately, these implementations lack the level of security commensurate with the strong encryption of your IPSec tunnels. But they are certainly easier and less expensive to implement and maintain.
Another alternative you might consider is a VPN service provider that offers a fully integrated solution: IPSec for privacy and transmission integrity and digital certificates for guaranteed authenticity. Most carriers offer these services today and there are also independent companies that will implement VPN for you independently of the carrier infrastructure.
Hope this helps,