-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> -----Original Message-----
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, December 27, 1998 11:27 PM
> To: [EMAIL PROTECTED]
> Subject: [FW1] PPTP through CHeckpoint Firewall
>
> I have checkpoint firewall single gateway non vpn
> version connected to
> internet. We wanted to have virtual private network
> using PPTP with a
> remote site which is connected to internet through dial up.
>
> I have heard that PPTP is not very secure. Kindly shed
> some light on
> the pros and cons of using it and identify the best
> online resources
> for its configuration. Also how can one give it access
> through FW-1?
Microsoft's implementation of PPTP is reasonable secure. You can set very
strong encryption (128 bit) for data privacy. But there is a documented
attack on the _authentication_ handshake. If someone can sniff the PPTP
packet flow, it is possible to gain user session information, including
password hashes.
However, as with all VPN implementation I suggest using OTP authentication
using tokens. With this strong authentication it doesn't matter if someone
actually captures the one-time password because he/she will not be able to
use it a second time. The session key can be gathered with above attack, but
I have not seen any successful man-in-the-middle attack against a PPTP
session. It is, however, possible to decrypt the data stream with this
session key (as far as I know).
The downside of PPTP is that you can not bring it in or out a proxy, or
passed a firewall with NAT. A different VPN or tunnel protocol like IPSec
may be the better choice.
Since you have a Checkpoint firewall, I would recommend to invest a little
more for a proven (and so far attack resistant) VPN solution using
Checkpoint (fw to fw, or client to fw via SecuRemote). In either case I
recommend tokens.
However, if funds are a problem, I see no reason not to use PPTP, but then
again, it all depends on what wealth and worth of data you want to
protect.... You need to exercise security within reason.
Regards,
Frank
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0
Comment: PGP encrypted email preferred
iQA/AwUBNohodSlma9DCzQQeEQKHqACg9jHfn07kxOuRAB+rbhm//68p1yEAoMYp
Z20BHTENQZWySmMEu9VcqM4o
=PhnE
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
