OPENSSL vs IPSEC

just a very general qu开发者_JAVA技巧estion, but can somebody tell me when I use openSSL and when IPSEC to secure data transfer over the internet? It seems both of them are doing the same, only at different levels of the network protocol. So I am not absolutely sure why we need both of them.

Cheers for your help

Yes, different levels of the network protocol. One is implemented in the OS and the other in an application.

So the reason that both are needed:

• IPSEC can secure all traffic including that from applications that don't use encryption. But, both sides must use an OS that supports IPSEC and must be configured by the system administrator.

• SSL can secure the traffic for one application. It does not need to use a particular OS and it does not need administrator access permissions to configure it.

You are getting it all wrong buddy...IPSEC is required for a secure communication between two machines.

Like you want to send a packet to other machine but you want that no one could possibly even determine what protocol you are using (tcp/udp.. etc) then you use this IPSEC. and it is not all over there is so much to explore about IPSEC.

openssl is you can say just a encrytion/authentication functions library.

A clear difference could be understood wh a little example.

Suppose you want to secure traffic between two machines so you create secure encrypted packet , send it to other machine there it needs to be decrypted based on security associations.All this is part of IPSEC Protocol.

While when encrypting the packet on your sending machine you may have used some C/Linux functions to encrypt the packet.This is where openssl comes in place.

Similarly on the other end when you will capture the packet and extract the required part then you can decrypt it using openssl function used on your machine.

I tried explaining it with my best ... hope it helped !!! If still you have any doubt do clear !!!

IPSec is based on a configuration file that runs in the background and encrypts all the data between two machines. This encryption is based on IP pairs, an initiator and a responder (at least that's the configuration they use at my workplace, which more or less conforms to the standards). ALL the IP traffic between the two machines is then encrypted. Neither the type nor the content of the traffic is shown. It has its own encapsulation that encapsulates the WHOLE packet (including all the headers that the packet previously had). The packet is then decapsulated (if that's a word) at the other end to get a fully formed packet (not just the payload). The encryption might be using the encryption provided by SSL (e.g. OpenSSL).

SSL, on the other hand, encrypts the data and then you can do what ever you want with it. You can put it on a USB and then give it to someone or just keep it encrypted locally to prevent data theft or send it over the internet or a network (in which case the packet itself won't be encrypted, only the payload, which will be encrypted by SSL).