I came across this exchange discussing connectivity when reviewing some specifications for an interface that we are writing:
“Since both companies will utilize web services for the exchange of information, it is proposed that we use SSL instead of a VPN or Direct connection. SSL (https over port 443) provides security by encrypting the communications channel. This arrangement provides all the security of a VPN or Direct connection. Plus it requires less network configuration, less maintenance, greater flexibility (in case platforms move on either end) and eliminates a VPN or direct connection as a potential point of failure.”
I have a lot of problems with this.
1) Encryption isn’t security.
2) I find it hard to dispute that: Direct Connection > VPN > SSL over internet from a general security perspective.
3) SSL used in this manner lacks authentication, compared to a IP SEC point-to-point VPN (AH/ESP)
4) Exposing a web server to the internet introduces the risk of web server vulnerabilities, application layer vulnerabilities, among others ever more recent SSL vulnerabilities. (Note that source based ACL’s are not recommend here either, nor are client side certificates for authentication)
5) The concept of “least privilege” from a networking perspective is not followed - only two parties need to talk to each other, why open it up to the world to attempt to connect to ? Another interface stated “We restrict all traffic by third party connections to the least access needed to support business. “ <– I like this much better.
6) SSL over the internet will require our customer to expose a secure internal system to the internet, when it was designed to have very controlled network access, as compared to a VPN and general firewall rules for network control.
7) I haven’t discussed direct connections or leased lines, mostly due to the nature and volume of this application. Normally this is our first choice for high volume, sensitive transaction data to third parties with multiple data centers. Where we use 2 leased lines on different carriers to different data-centers.
My Vote for this? SSL over a VPN - (Defense in depth) Could SSL be used ? Sure but we would need to add a list of controls around its implementation and quite possibly add a layer of applications (proxy the requests) to design around this which is more work and has a higher change of configuration failure then a standard site-to-site VPN connection.