Transport Layer Security (TLS) Tunneling
Can be called SSL/TLS tunneling.
SSL
- operates from lightweight plug-in downloaded from web page
- less complex hardware on backend
- weakness is that you could download onto an insecure device, thus providing an avenue for data leakage or an attack
TLS
TLS VPN uses digital certificates to identify and host and establish secure tunnels for network traffic.
- server certificate identifies the VPN gateway to the client
- optionally, client can also be configured with its own certificate
- allows for mutual authentication
- TLS creates an encrypted tunnel for the user to submit authentication credentials
- would normally be processed by a RADIUS server
- Once the user is authenticated and the connection is fully established,
- the VPN gateway tunnels all communications for the local network over the secure socket
- can use
- Transport Layer Security (TLS) over TCP
- easier to use with a default firewall policy
- or datagram TLS (DTLS) over UDP
- may be chosen for marginally superior performance
- especially when tunneling latency-sensitive traffic such as voice or video
- may be chosen for marginally superior performance
- to encapsulate frames or IP packets
- Transport Layer Security (TLS) over TCP
- main drawback
- TLS already operates at the Session layer
- headers from the inner and outer packets add up to a significant overhead
- TLS already operates at the Session layer