[Xserve@home]

I googled ssh vs VPN and read a few articles, but I still can't tell the difference. Is one better than the other for certain environments?

[Partisan01]

ssh connects you to one computer while the computer you're using remains on the original network. VPN makes it appear that your workstation is on the remote network you're connecting to. This means any addresses that are internal on the remote network are accessable to your computer over a VPN.

[Kristoff]

Good answer.

The take away point is that the aren't even similar applications.

VPN is a wrapper around your network interface. In the case of Mac OSX, there is a kernel extension installed that essentially (and this overly simplified) sticks itself between your applications and the network interface and encrypts everything in between you and the VPN device on the other end.

SSH on the other hand is simply a secure remote shell on another host. There are ways of tunneling other apps over the ssh session, but it's not quite the same functionality as VPN.

[Xserve@home]

Thanks for that info. I think I'll stick with SSH then, since I don't need to see my whole internet LAN from work anyway.

[[APi]TheMan]

Originally Posted by Kristoff

VPN is a wrapper around your network interface. In the case of Mac OSX, there is a kernel extension installed that essentially (and this overly simplified) sticks itself between your applications and the network interface and encrypts everything in between you and the VPN device on the other end.

SSH on the other hand is simply a secure remote shell on another host. There are ways of tunneling other apps over the ssh session, but it's not quite the same functionality as VPN.

I always understood it as something like this:

Pretend you're sending your kid a few blocks wallking across town to get you some groceries. SSH is encrypted, but it's kinda like putting a tin foil hat on the kid's head so nobody can read his brain. He's still outside with everyone else, but at least nobody can read his brain. VPN is kinda like constructing a tin foil tunnel from your house to the grocery store. He's the only one using the tunnel.

They're both secure... just different methods.

[Kristoff]

hahahh.....good analogy

[turtle777]

Originally Posted by [APi]TheMan

VPN is kinda like constructing a tin foil tunnel from your house to the grocery store.

I did that. Works great. Nobody can see me buying groceries no more

-t

[Xserve@home]

So ... VPN and IP Tunneling are essentially the same?

[zanyterp]

not quite. a vpn will use the idea of ip tunneling, in that information is pushed out a secure line on a different port/protocla than native, but there is more encryption and protection with the vpn. (at least that is my understanding).

and a vpn puts you, the remote user, on the corporate intranet. my understanding of ip tunneling is that you are still a remote node as far as the intranet servers are concerned and you may or may not have the same type of access as if you were in the office.

[ssexton]

Originally Posted by Kristoff

The take away point is that the aren't even similar applications.

Not entirely true. I would say, for example, that Notepad and Quake aren't even similar applications. SSH and VPN have a bit in common. In fact, you can use SSH to create a VPN!

Both of these apps can tunnel, that is how they are similar, and may be what led to the OP question in the first place.

Dedicated VPN software will typically bring up a new network interface for you, that corresponds to the tunnel, so from the perspective of your machine it is almost like you are directly connected to the remote network. There tends to be glitches, most commonly related to private DNS names and being able to connect to the VPN and the public Internet at the same time (long story).

SSH, by itself, can only set up port forwarded tunnels, and in general requires that you have a good handle on IP networking. For example, you can set up a tunnel to a private POP3 server to check your email, but you would have to reconfigure your email client to use the tunnel. In other words, SSH tunnels get the job done, but its a lot more intrusive.

The interesting thing to do with SSH, is to tunnel PPP, also known as "poor man's VPN". See http://www.tldp.org/HOWTO/ppp-ssh/ to get the idea, and http://www.macdevcenter.com/pub/a/ma...pn.html?page=2 for Mac-specific instructions. Because PPP also brings up another network interface, the end result has similar transparency as you would with a 'real' VPN client. The performance isn't as good though, so you want to use real VPN (PPTP, etc.) when you can.

[Kristoff]

and you can make a car fly if you put wings on it and drive it fast enough.

Real VPN uses IPSEC and secures IP at the Network Layer.

SSH secures TCP/UDP at the Transport Layer.

They aren't the same.

[VValdo]

I would say, for example, that Notepad and Quake aren't even similar applications.

what?!!


W

[Kristoff]

Originally Posted by VValdo

what?!!


W

That's as good as PSDoom

[smithley]

Originally Posted by Kristoff

and you can make a car fly if you put wings on it and drive it fast enough.

Real VPN uses IPSEC and secures IP at the Network Layer.

SSH secures TCP/UDP at the Transport Layer.

They aren't the same.

That's like saying that fishing for bass and fishing for marlin aren't even similar. What difference does the depth (of the ISO/OSI stack) make? Both VPN and SSH do the same thing: take clear-text packets, encrypt them, and send them to a remote host to be decrypted and sent clear text to the destination server. VPN adds the idea of a virtual network interface so all traffic can be routed in this way, whereas SSH only deals with point-to-point encrytion of a single stream. Ultimately, VPN only uses a single stream as well, but that fact is highly transparent.

SSH uses a remote SSH server to route packets, whereas VPN will typically use a firewall, and less often a gateway. The main point (of this thread I think) is that both are equally difficult to crack. The example earlier about a foil tunnel versus encrypted packets isn't a very good one, since they both send encrypted packets out over the clear for inspection - with the possible difference that with SSH a TCP sniffer running locally won't reveal sensitive data, but with VPN it would (since the encryption is applied at a lower level).

Yes the two implementations have some very different details, but they also have a lot in common.

[[APi]TheMan]

Originally Posted by smithley

That's like saying that fishing for bass and fishing for marlin aren't even similar. What difference does the depth (of the ISO/OSI stack) make? Both VPN and SSH do the same thing: take clear-text packets, encrypt them, and send them to a remote host to be decrypted and sent clear text to the destination server. VPN adds the idea of a virtual network interface so all traffic can be routed in this way, whereas SSH only deals with point-to-point encrytion of a single stream. Ultimately, VPN only uses a single stream as well, but that fact is highly transparent.

SSH uses a remote SSH server to route packets, whereas VPN will typically use a firewall, and less often a gateway. The main point (of this thread I think) is that both are equally difficult to crack. The example earlier about a foil tunnel versus encrypted packets isn't a very good one, since they both send encrypted packets out over the clear for inspection - with the possible difference that with SSH a TCP sniffer running locally won't reveal sensitive data, but with VPN it would (since the encryption is applied at a lower level).

Yes the two implementations have some very different details, but they also have a lot in common.

Wow, great points... thanks for the rundown.