On Tue, 28 Dec 1999, Brian Steele wrote:
BS} Clyde:
BS}
BS} My point is, I am not interested in a security solution based on another OS,
BS} if there is an equivalent one available for NT, the OS upon which my LAN is
BS} standardized. I am not interested in learning about the ins, outs, security
BS} problems, fixes et al about another OS, and add yet another list of security
BS} worries to my already full platter, simply to provide an access feature that
BS} may already be provided using an OS that I'm comfortable with.
BS}
BS} If there's a more secure replacement for PPTP that works on the NT platform
BS} (or with an NT-based network without requireming me to learn about a whole
BS} new OS), then that's the solution I'm interested in.
At this year's Federal Security Conference, Microsoft announced that it
was dropping support for PPTP. I'm not really sure what this means when
it gets down to practice as Microsoft tends to support old technologies
that it foists upon the world.
I don't see everyone rushing out to purchase a new version of Windows just
to get L2TP which is Microsoft's replacement for PPTP. As Windows 2000
continues to slip, its a little difficult to determine when L2TP will be
available.
L2TP is interesting from a security perspective as it isolates the system
from its current network and connects it to the target network. Once the
connection is established to the target network, all connectivity is lost
to the local network, i.e. any mapped drives are unreachable as are any
shared devices such as printers. Voila! None of the back channel
problems of IPsec.
Avoids some of the problems that our corporate network group introduced
when they upgraded to Nortel's latest version of their VPN product. I
can't remember the products name, it was aquired with Bay Networks who
acquired it earlier.
BS} ----- Original Message -----
BS} From: "D Clyde Williamson" <[EMAIL PROTECTED]>
BS} To: "Brian Steele" <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
BS} Sent: Tuesday, December 28, 1999 11:25 AM
BS} Subject: Re: MS PPTP (Safe?) - alternative?
BS}
BS}
BS} > Brian Steele wrote:
BS} > >
BS} > > Good post. I'd like to add that any proposed replacement for PPTP be
BS} > > NT-based - I am certainly not interested in installing another OS on my
BS} LAN
BS} > > simply to provide VPN access, thereby substituting one potential
BS} security
BS} > > problem for another.
BS} > >
BS} > > Brian Steele
BS} >
BS} >
BS} > This reminds me of an old school janitor I knew. He always said "Duct
BS} > Tape and Angle Iron will fix anything". He ment it as a joke.
BS} >
BS} > I fear that many NT "security" people feel the same way. They don't ask
BS} > what the problem is before they pull out the duct tape, angle iron, and
BS} > NT Server disk. This is a VERY BAD THING.
BS} >
BS} > A person that purposly limits their options, is doing a disservice to
BS} > themselves and the company they work for. This is especialy bad when a
BS} > "security" person needs a "security" solution, but only looks at a set
BS} > of tools proven to be insecure. In this example, Microsoft has yet to
BS} > sucessfully create an encryption algorithm, but we have people locking
BS} > their options to one based in the Microsoft world.
BS}
BS}
BS} -
BS} [To unsubscribe, send mail to [EMAIL PROTECTED] with
BS} "unsubscribe firewalls" in the body of the message.]
BS}
Merton Campbell Crockett
+--------------------------------------------------------------------------+
| Manager, Network Operations & Services | Chief Network/Security Engineer |
| General Dynamics Electronic Systems | Naval Surface Warfare Center |
| Intelligence Systems Organization | Port Hueneme Division |
| Thousand Oaks, CA | Port Hueneme, CA |
+--------------------------------------------------------------------------+
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
