Just a minor correction about PPTP. [Please note my affiliation to know
about my bias ;-) ]
PPTP (Point to Point Tunnelling Protocol) was a development done by Microsoft
and 3Com, at the same time Cisco and Shiva were developing L2F (Layer 2 Forwarding).
Both were proprietary. PPTP is using an extended GRE tunnel combined with
a TCP session for control while L2F is using a UDP 'session' for both data
and control.
Microsoft and Cisco have then developed L2TP (Layer 2 Tunnelling Protocol),
which basically is the function of PPTP on the L2F protocol, this L2TP is
being finalized as an IETF draft and will eventually become a RFC.
A further note, the L2F, PPTP and L2TP protocols do not offer a confidentiality
service: data is in the clear. If you want to secure the tunnel, IPSec or MPPE
can be used.
Last note, PPTP weaknesses have more to do with the Microsoft implementation
of PPTP who combined MPPE (Microsoft Point to Point Encryption) on the top
of PPTP. And there were (is ?) security issues with the key negotiation of MPPE.
Also, my favorite design is to terminate the L2TP or L2F tunnel BEFORE the firewall
else the firewall can do nothing on the encapsulated data.
Hope this helps
-eric
At 17:31 10/06/1999 +0930, Ben Nagy wrote:
>This is half answers half questions. 8)
>
>My understanding is that there was a version of PPTP that was so bad from
>the crypto point of view that a lot of people got put off. Bear in mind that
>PPTP is at least partially Microsoft protocol (codeveloped with Cisco - I
>think based on L2TP from memory).
>
>Q: Has anyone had a good look at the latest version? Am I running on old
>info or should I still steer clear?
>
>Certainly I would tend to lean towards something like IPSec which gives you
>a much more "industry standard" method of implementing a dialup VPN. It's
>also nice in that you can choose your level of encryption / authentication
>on a sliding scale with speed to suit your needs. You can get several cheap
>/ free IPSec clients that install onto your mobile users laptops.
>
>In terms of the authentication, your Cisco box will be able to authenticate
>dialup users against a TACACS+ server and I think offhand it can deal with
>RADIUS as well. If you want a one-time password type system that doesn't use
>SecureID etc, there is a cool thing called S/Key which is software only, and
>public domain. The ins and outs are a little involved for such a short post,
>but there is plenty of info out there.
>
>Q: Does anyone know of a solution that will allow me to use S/Key as the
>auth mechanism, but still have my Cisco box authenticate the dialup users? I
>presume that I would need a RADIUS or TACACS+ box that supported S/Key, but
>the only way I have found so far is to roll-my-own solution. Sadly, these
>tend to raise customer eyebrows in my neck of the woods - commercial
>solutions are all the go.
>
>This won't apply for those users that are coming in via the Internet, but
>you can use a Certificate Authority as part of your client IPSec setup -
>this means that a h4x0r would need to guess a user's password (hopefully
>hard) and forge their X.509 certificate (definitely hard). Sadly, they could
>substitute stealing the laptop for the second step, and hope to hack the
>system before you revoke that certificate.
>
>Read about IPSec. Personally, I think it rocks.
>
>Cheers!
>
>--
>Ben Nagy
>Network Consultant, CPM&S Group of Companies
>Direct: +61 8 8422 8319 Mobile: +61 414 411 520
>
>
>
> -----Original Message-----
>From: Rajeev Kumar [mailto:[EMAIL PROTECTED]]
>Sent: Wednesday, June 09, 1999 12:53 AM
>Cc: [EMAIL PROTECTED]
>Subject: VPN/PPTP and Dial-up
>
>This is very general question:
> Our organization currently have Dial-up server(Using Cisco Dialup
>Router). But soon we are planning for some kind of VPN access such than
>people worlking from homes and remote offices can dial in through thier
>ISPs directly. Considering the cost benefit service like PPTP can be a
>viable option. Can somebody throw light on this technology:
>The goal here is:
>
>[1]Provide low cost dial-up solution for on the road/remote users. What
>are the possible solutions here?
>
>[2]Should be secure enough both encryption wise and authentication wise.
>We want authetication more than just NT Domain/NIS login/passwd. I
>have heard about Secure Key IDs, any ideas on these(will prefer low
>cost again). Freeware/shareware more than welcome.
>
>
>Other points for our considerations:
>
>->Does Cisco provides PPTP implemenation yet and if yes how good is
>that?? Is the idea of Routing/Packet-filtering and
>PPTP service on one box good at all.
>->Is Linux implemenation of PPTP is good enough.
>->Pros and Cons of Microsoft PPTP server. Can this be considered secure
>enough if we just open PPTP related ports to it and block other
>access.
>->Where should we put this PPTP server infront of or behind
>Firewall/Packet filtering box.
>
>Any response will be greatly appreciated. I will summarize finally.
>
>Thanks,
>
>Rajeev([EMAIL PROTECTED])
>Fluent Inc.
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
Eric Vyncke
Consulting Engineer Cisco Systems EMEA
Phone: +32-2-778.4677 Fax: +32-2-778.4300
E-mail: [EMAIL PROTECTED] Mobile: +32-75-312.458
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
