MultiNet Security Options Comparison - SSH, IPSEC, and Kerberos

WHEN TO USE SSH
SSH provides secure communication for trans- mitting data through an unsecured network such as the Internet. Even though Virtual Private Networks (VPN’s) using IPSEC provide the same basic function (secure communication between the remote office or telecommuter communication with Corporate Headquarters), there are some instances where SSH would be a better choice than IPSEC or Kerberos.

For example, if you have very specific point-to- point secure communication requirements, then SSH would be the better solution. SSH client/server models can easily encrypt data from one point to another. SSH can encrypt any application for the duration of a session, provided the application has a known port. Applications that meet this criteria include e- mail, database connections, and printing sym- bionts. The advantage to encrypting selected applications is that it reduces the potential of creating unnecessary network overhead associ- ated with encrypting all applications as is done with VPN’s using IPSEC.

WHEN TO USE IPSEC
IPSEC can be used to create an IP-based Virtual Private Network (VPN). IPSEC has the ability to encrypt higher layer protocols, including TCP and UDP sessions, thus offering the greatest flexibility of all the existing TCP/IP cryptosystems. IPSEC provides network security by encrypting all data in the VPN tunnel. A branch office or telecommuter can access data at Corporate Headquarters from any worldwide location via a connection to their local service provider. This alleviates costly long-distance charges via dialup for organizations that use IPSEC to tunnel data securely through the Internet.

WHEN TO USE KERBEROS
Kerberos is designed to address the problem of authentication in a network of “slightly trusted” client systems. “Slightly trusted” means that the servers will not simply take the client’s word that a particular user has logged in. Kerberos is designed to enable two parties to exchange private information across an otherwise open network by assigning a unique key, called a ticket, to each user that logs on to the network. The ticket is then embedded in messages so that the sender can be identified.

Kerberos uses dedicated authentication servers that can be hosted on machines physically distinct from any other network services, such as file or print servers. The authentication servers possess secret keys for every user and server in the network. Kerberos is ideal for situations where centralized administration is desired. An authentication server can be maintained in one location serving many Kerberos users. As an aside, SSH can be configured to work with Kerberos authentication, thereby eliminating the SSH authentication configuration requirements.