11

First of all i am noob in this area so came here to get some idea from the experts.

My friend was telling me the other day that ssh is pretty secure protocol and one should not be worried about network security while using ssh.

In my company, we always use ssh to connect to remote devices. Now-a-days out security expert is saying that he wants to remove all ssh access in favor of vpn. I told him what my friend told me but he is insisting on ssl vpn having better security. Is he right or I am right in the sense that as i am using ssh i am secure enough.

In other words, does ssl vpn give any extra security facility that ssh does not give or ssh could fail badly in those fields?

dominico
  • 127
  • 1
  • 1
  • 3
  • 2
    SSH allows secure remote shell access, VPN creates a virtual, secure Ethernet cable between two computers. If you're using SSH to get shell access on the devices then continue to do so, VPN will only allow secure network connection to the devices (but you'd still need to run something to actually get shell access, you could use telnet but why bother when SSH is a better tool for this job?). On the other hand if you're using SSH tunneling to tunnel arbitrary network traffic then a VPN will be the correct solution, though both are equally secure if implemented correctly. – André Borie Dec 29 '15 at 18:43
  • 1
    SSH is good for simple tasks. VPN allows for a more managed security environment. However the complicatedness of VPN itself may actually open up security holes. SSH may also be used in combination with VPN. It really depends on the needs of the company. – Jonathan Gray Dec 29 '15 at 18:44
  • 1
    @Xander - I'm not sure that question is quite the same as this one and that question has only one answer (IMO, a weak one). I think a proper answer should discuss the fact that VPN and SSH are different OSI layers. – Neil Smithline Dec 29 '15 at 21:26
  • @AndréBorie "virtual, secure Ethernet cable between two computers"? :-) I assume you were simplifying the definition for the purpose of example? – Mike B Dec 29 '15 at 22:20
  • 2
    @MikeB I believe that's that most VPNs do, if we ignore the distinctions between Layer 2 tunneling and those working at higher layers. – André Borie Dec 29 '15 at 22:43

3 Answers3

13

VPN and SSH are similar in the sense that they both establish a trusted and encrypted point-to-point channel, but that's pretty much where the similarities end. The goal of VPN is to grant you access to a network you would otherwise not be able to access, while the goal of SSH is to grant you shell access to a particular system. They play different, non-exclusive roles -- it is perfectly common to require VPN before being able to use SSH.

There are multiple benefits of using VPN over direct ssh. SSH is a root-level daemon that gives direct access to a device. There have been 0-day vulnerabilities in SSH in the past, and who knows, there may be one lurking around the corner, giving attackers direct access to any internet-exposed system. Alternatively, a misconfigured ssh daemon may allow logging in with passwords that can be guessed or sniffed via keystrokes. Not exposing ssh on your devices directly to the internet is a very good security policy.

VPN, on the other hand, is usually done via an appliance or via a non-root daemon, limiting the attack surface. VPN also dramatically simplifies access to restricted resources other than just SSH -- e.g. internal-only websites. While you can port-forward using SSH, it is a lot more hassle compared to using a VPN. Additionally, running a VPN server allows implementing centralized 2-factor authentication, assigning static internal IP addresses to authenticated accounts, etc. The latter is useful when tracking admin access via netflows and when restricting access to internal resources by groups.

In other words, requiring a VPN connection before accessing ssh on systems is both common practice and good security policy.

mricon
  • 6,238
  • 22
  • 27
8

A lot of this will come down to what you actually need and personal choice.

It is possible to tunnel lots of traffic through SSH and treat it like a VPN.

There are also many similarities between the two for example depending on the VPN selection you you choose you may also be using SSL/TLS for the VPN, which is what SSH uses, or even the same ciphers, algorithms, or encryption libraries. So although there are some differences for encryption options the encryption options are very similar.

The areas where they start to be different involve whether or not you need Layer 2 traffic (such as Ethernet Frames) vs. just having IP traffic (what most people need). Or if you want to permanently forward multiple protocols or users through the same connection in which case the VPN may be easier.

One disadvantage to some VPN's, not all, is that if you are connecting to them from remote locations you may find that certain protocols, such as IPSEC, may be blocked by some providers.

In general I find that if you are just making single connections SSH will be far easier to manage whether you are doing this manually or via scripts.

If you have a more complex network with lots of unencrypted protocols you may opt to go the VPN route.

Both are good solutions and if anything I'd suggest to try both of them for a while to see which one best fits your needs.

Personally I tend to lean towards SSH as my go to tool because it's extremely flexible but I do occasionally recommend VPN's for larger site-to-site connections or for clients that are 100% Windows shops.

In high security environments I use both and run all the SSH connections through a VPN. You may want to try this as well.

Ultimately due to the flexibility of SSH the two are very similar and a lot of the decision will come down to your personal preference and needs.

Trey Blalock
  • 14,099
  • 6
  • 43
  • 49
4

I would be very worried about a security "expert" who thinks that the terms SSH and VPN apply to the same functionality. I assume that the tale has lost something in the retelling.

VPN simply means an encrypted network connection. There are multiple technologies which can deliver that; TLS, PPTP, and even SSH amongst other things. Assuming you are talking specifically about a TLS VPN....

TLS and SSH have very different trust models. For SSH, trust is established between the client and the server. With TLS, both the client and the server place their trust in the certification authority. The latter provides for some centralisation of control, but comes at the cost of a greater attack surface.

Leaving aside the conceptual model of trust, looking at the vulnerability history of SSH compared with TLS, it's not too surprising that SSH has fewer published security defects than TLS - its a much simpler protocol.

IMHO,the concept of trying to add security into the network is fundamentally flawed - each node on the network should be secure, and all connections should be authenticated at the end points (firewalls in between only help to cut down the noise). Hence my recommendation would be to use the appropriate technology for the application; SSH for shell and Xwindow access, TLS for HTTP, SMTP and IMAP. But for UDP based protocols or TCP connections requiring low latency, IPSEC is a good alternative to a conventional SSL/SSH tunnel.

There are some areas where the technology does not explicitly support one or the other (e.g. many database servers) and some where it is deeply baked into the protocol (e.g. FTPS vs SFTP) but that should be considered on a protocol by protocol basis.

symcbean
  • 18,278
  • 39
  • 73