This is half answers half questions. 8)
My understanding is that there was a version of PPTP that was so bad from
the crypto point of view that a lot of people got put off. Bear in mind that
PPTP is at least partially Microsoft protocol (codeveloped with Cisco - I
think based on L2TP from memory).
Q: Has anyone had a good look at the latest version? Am I running on old
info or should I still steer clear?
Certainly I would tend to lean towards something like IPSec which gives you
a much more "industry standard" method of implementing a dialup VPN. It's
also nice in that you can choose your level of encryption / authentication
on a sliding scale with speed to suit your needs. You can get several cheap
/ free IPSec clients that install onto your mobile users laptops.
In terms of the authentication, your Cisco box will be able to authenticate
dialup users against a TACACS+ server and I think offhand it can deal with
RADIUS as well. If you want a one-time password type system that doesn't use
SecureID etc, there is a cool thing called S/Key which is software only, and
public domain. The ins and outs are a little involved for such a short post,
but there is plenty of info out there.
Q: Does anyone know of a solution that will allow me to use S/Key as the
auth mechanism, but still have my Cisco box authenticate the dialup users? I
presume that I would need a RADIUS or TACACS+ box that supported S/Key, but
the only way I have found so far is to roll-my-own solution. Sadly, these
tend to raise customer eyebrows in my neck of the woods - commercial
solutions are all the go.
This won't apply for those users that are coming in via the Internet, but
you can use a Certificate Authority as part of your client IPSec setup -
this means that a h4x0r would need to guess a user's password (hopefully
hard) and forge their X.509 certificate (definitely hard). Sadly, they could
substitute stealing the laptop for the second step, and hope to hack the
system before you revoke that certificate.
Read about IPSec. Personally, I think it rocks.
Cheers!
--
Ben Nagy
Network Consultant, CPM&S Group of Companies
Direct: +61 8 8422 8319 Mobile: +61 414 411 520
-----Original Message-----
From: Rajeev Kumar [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, June 09, 1999 12:53 AM
Cc: [EMAIL PROTECTED]
Subject: VPN/PPTP and Dial-up
This is very general question:
Our organization currently have Dial-up server(Using Cisco Dialup
Router). But soon we are planning for some kind of VPN access such than
people worlking from homes and remote offices can dial in through thier
ISPs directly. Considering the cost benefit service like PPTP can be a
viable option. Can somebody throw light on this technology:
The goal here is:
[1]Provide low cost dial-up solution for on the road/remote users. What
are the possible solutions here?
[2]Should be secure enough both encryption wise and authentication wise.
We want authetication more than just NT Domain/NIS login/passwd. I
have heard about Secure Key IDs, any ideas on these(will prefer low
cost again). Freeware/shareware more than welcome.
Other points for our considerations:
->Does Cisco provides PPTP implemenation yet and if yes how good is
that?? Is the idea of Routing/Packet-filtering and
PPTP service on one box good at all.
->Is Linux implemenation of PPTP is good enough.
->Pros and Cons of Microsoft PPTP server. Can this be considered secure
enough if we just open PPTP related ports to it and block other
access.
->Where should we put this PPTP server infront of or behind
Firewall/Packet filtering box.
Any response will be greatly appreciated. I will summarize finally.
Thanks,
Rajeev([EMAIL PROTECTED])
Fluent Inc.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
