2

We have cloud based digital platform at work and we have the ability to connect to our cloud based ERP system. The ERP provider has given 2 options to connect - 1) a connector which uses HTTPS or VPN.

I am trying to make a decision as to which is the most secure and easy to implement.

Both TLS connection and VPN provide a secure tunnel which is encrypted and everything traversing the tunnel is encrypted including authentication credentials.

I know with VPN, one can dictate encryption algorithms to be used. I believe with VPN option, their will be mutual authentication (i.e. certificate on VPN client and at the destination - VPN server). However with the TLS option we have username and password option for authentication or certificate based. I would choose the latter.

So what am i gaining with VPN that i do not gain with HTTPS (TLS)?

Architect
  • 631
  • 1
  • 6
  • 9
  • You might find some useful info in the answers to [this question](https://security.stackexchange.com/q/140437/3365) – gowenfawr Jul 06 '21 at 15:25

2 Answers2

4

As long as you are limiting yourself to only HTTP protocols, then yes there is little difference. One can argue about degrees of visibility and threat surfaces, but that's not the key difference.

The thing that VPN's bring to the game is right in the name, Virtual Private Network. It gives you the same access and protocol capability as if it were directly network connected. Files can be directly accessed and edited, programs can be run, copies can be made, etc. without needing a remote middleman service to do it for you. Conversely if these are not services you need or want, then they become a potential risk,

user10216038
  • 7,552
  • 2
  • 16
  • 19
2

VPN provides DNS over an encrypted connection.

TLS (PKI) can tell you a site you are visiting by domain name is not presenting a valid certificate. But this requires users to notice. In an enterprise this is a weak control.

But, for me, the biggest advantage is keeping my DNS private. I don’t want the person next to me in a coffee shop to see that my browser has a background tab communicating with vpn.fbi.gov servers. Maybe that’s a weak example but the point is there’s a lot you can learn about someone from the domain names they resolve.

There’s also the really annoying problem that not every website sends everything over tls and can leak information pulling resources from http sites.

So typically a VPN is like an armored car wile TLS is a bullet proof vest.

Also you can expose things like windows Kerberos, data bases, or ssh ports over vpn that are hard to use over https.

Jonathan
  • 2,288
  • 13
  • 16
  • It should be pointed out that most Operating Systems nowadays support complete DNS over TLS. You don't need a VPN to encrypt your DNS queries. – Private_GER Jul 31 '21 at 15:21
  • Better to assume dns is clear text. They might have “support” but DNS is clear text today. Ex: in 2020 apple told developers they could create apps utilizing secure dns - not that the entire internet would switch over overnight. https://www.zdnet.com/article/apple-adds-support-for-encrypted-dns-doh-and-dot/ – Jonathan Aug 01 '21 at 17:38