6

As I understand, IPSec protects packets at IP layer and SSL/TLS at transport layer?

Is there a scenario in which we might want to use both?

Jay
  • 525
  • 6
  • 15
  • Related [Does mixing different types of encryption make the connection more secure?](http://security.stackexchange.com/questions/67244/does-mixing-different-types-of-encryption-make-the-connection-more-secure) – Ulkoma Sep 06 '15 at 19:44

3 Answers3

5

Absolutely. In fact, I'm posting this answer using both IPSec (via VPN) and TLS (via HTTPS). As you noted, the technologies are similar as they both provide confidentiality and integrity on communications. Sometimes, as discussed in gowenfawr's answer, there is little value of using the two combined, but sometimes there is value.

Both protocols encrypt the contents of messages but leave the envelope unencrypted. The envelope contains information about the protocol being communicated and the site that you are communicating with. So, someone watching my home network connection can see that I'm using IPSec to connect to my VPN provider but they cannot tell that I'm posting on StackExchange. If I wasn't using VPN, someone monitoring my home network connection would see that I'm posting on StackExchange (specifically security.SE), but not be able to see what I'm posting or to what question I'm responding to.

I should point out that the VPN doesn't totally hide my connection to StackExchange, it just hides it between my home and my VPN provider. Someone watching my VPN provider's outbound connection would see the posting to StackExchange, they just wouldn't be able to match it to me.

So this answer posting is IPSec and TLS encrypted between my home and my VPN provider and just TLS encrypted from my VPN provider to StackExchange.

Whether this is an interesting distinction or not is up to you. It will likely depend on the task you are performing.

Neil Smithline
  • 14,621
  • 4
  • 38
  • 55
2

Another advantage not mentioned in other responses, and one for the really paranoid, is that in the event of a critical vulnerability being detected in one of the technologies, one would still have the benefit (confidentiality and integrity on communications) of the other technology.

D.H.
  • 628
  • 7
  • 14
1

See also What is the difference between SSH and IPSec? - the same rules apply. Both may be used without issue, and often are (e.g. I VPN into my work and access webmail over HTTPS).

There's rarely a security advantage to be had in layering the two; either provides sufficient security for the leg of traffic they cover.

gowenfawr
  • 71,975
  • 17
  • 161
  • 198