1

I have a situation where we (as a SaaS vendor) are migrating one of our clients away from their local premise to our public SaaS.

However as a security concern they want to route all their TCP traffic over an IPSEC Tunnel to our application. Now i'm not very familiar with doing that (i've done it once) and i don't believe in just doing things like that quickly.

But it makes me wonder, is that really neccesary if we already use a strong TLS1.2 encryption on the webserver? I constantly check to ensure we keep an A+ score on ssllabs.com/ssltest and i'm wondering if that isn't secure enough?

Obviously i can understand that adding an extra layer of encryption will always be more secure. But i want to see if there is an argument to be made for the pros and cons of this.

Is there anyone who has any insight into this?

Jdeboer
  • 13
  • 3
  • You may want to review [this answer](https://security.stackexchange.com/a/45450/3365) and see if any of the context matches what your client wants to do. – gowenfawr May 27 '19 at 13:56
  • Hi @gowenfawr, thanks for your answer. I've read the answer and it does provide some helpfull insight. I can already see that combining the two and using them together would be good. But i'm interested in if this provides any real added value or if it's just adding in layers to add in layers. – Jdeboer May 27 '19 at 14:15

2 Answers2

0

IPSEC is not focusing data safety without sub-protocols. You can review ESP, AH, IKE sub-protocols for a better comparison with SSL/TLS.

Yes they have both same goal but with tunnel you will have some management capabilities which are listed below.

  • they can access your server with a private ip space (so they will not whitelist your application domain address on http proxies of their outgoing traffic gateway or will be easier for DLP configurations etc.).
  • They can ask a web server which is not accessible over WAN (for safety purposes).
  • SSL/TLS is an third party dependency, the certificate vendor so this is a additional liability. You can build up a tunnel without any additional party dependency.
  • Network administrators can write custom routing with that tunnel, otherwise they have to route this traffic to the WAN.
  • They can write additional QoS rules easier if they try to manage all traffic between two network. Without tunnel they will apply this rule to all outgoing traffic which will use more resource then this solution.
  • They can validate status of your network and web server, they will be able to identify problem directly.
  • They can accept traffic (from you to them) over that tunnel.
  • ...

So as last word, tunnel will you give more control for your network operations.

alnbhclyn
  • 254
  • 1
  • 7
0

Now i'm not very familiar with doing that (i've done it once) and i don't believe in just doing things like that quickly.

This is actually something that can be comfortably deployed in an afternoon, if the infrastructure is in place. It's fairly simple to configure, it's limited in scope, and doesn't require expensive or unique equipment. If you include documentation within an existing documentation framework, call it one day.

vidarlo
  • 12,850
  • 2
  • 35
  • 47