Security of a SSH tunnel versus VPN

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!


we want to use a MySQL database from a web application on our server
in the USA on our central database server in Germany. After studying
the possibilities with a SSH tunnel, I thought, that SSH tunneling
with publickey authentication, firewall restriction to allow only the
IP address of the server in USA, together with a waiting daemon
process as login shell (the user should not use his/her account)
should be the best way to do it. The SSH server is located in our
first demilitarized zone and the database machine within the second
zone behind our second firewall.

Now an external company, that works on security and firewall
solutions, classified this solution as potential security risk for our
intranet. A VPN solution via AT&T should be the optimal solution from
their viewpoint. Ok, SSH is an open protocol, so any defects in the
openssh/ssl software are known to hackers.

I know that there are many papers and articles in the WWW, but I
haven't found any article, that gives clear pro and cons from the
security point of view.

Are there any other security risks, that come with a SSH tunneling
solution, or can a SSH-tunnel for database access be considered as
secure as a VPN solution form AT&T?

Thanks for advices and comments.

Best Regards / Mit freundlichen Grüßen

R. Rohmfeld

Site Timeline