PPTP is an extension of PPP (combined with TCP) that encapsulates packets in
a GREv2 tunnel. Because PPTP is nothing more than an add-on to PPP, it
relies on PAP, CHAP, or MS-CHAP to provide the encryption service for your
packets. PPTP can also use MPPE for encryption, but I would not place my
faith in a Microsoft based encryption algorithm. The last I checked (and
it's been a while), these encryption offerings were based on RC4 and DES at
40 or 128 bits.
The key point to remember about PPTP is that it was designed as a tunneling
protocol (for IPX, NetBIOS, SNA, etc.), not as an encryption service.
Security itself is not native to PPTP. Also note that because PPTP does not
have authentication or integrity built into the protocol, session hijacking
of the TCP connection might be possible. It may also be possible to alter
messages while in transit (using a false control channel by taking advantage
of the fact that the GRE packets used to establish the tunnel are not
encrypted).
There is also the concern regarding PPTP pass thru at the firewall. Since
PPTP uses a GRE tunnel, you need to open up port 47 (the GRE port) in
addition to port 1723 (the PPTP port). You may also need port 5678, but
that may depend on your implementation.
So yes, PPTP is bad for security... If you are going to use PPTP, do so
within a protected network. If you are looking at PPTP for a remote VPN
solution, I'd recommend familiarizing yourself with IPSec and IKE instead.
---------------------------------------------------------------
Bradley H. Bemis Jr.
CISSP, MCSE, MCP+I, CCNA, CCDA, NNCSS, Network +
Information Systems Security Consultant
Lucent Technologies - Worldwide Services
---------------------------------------------------------------
...The Knowledge Behind the Network
Email Notice: This communication may contain sensitive information. If you
are not the intended recipient, or believe that you have received this
communication in error, do not print, copy, retransmit, disseminate, or
otherwise use the information contained herein. Please respond to the
sender that you have received this e-mail in error, and delete the copy you
received. Thank You ;-)
-----Original Message-----
From: Meritt James [mailto:[EMAIL PROTECTED]]
Sent: Tuesday, November 13, 2001 9:49 AM
To: Johnson David
Cc: 'Jason Reeves'; [EMAIL PROTECTED]
Subject: Re: Microsoft PPTP bad for security?
Take a look at L0phtcrack.
"Johnson, David" wrote:
>
> I have actually been just given the task of researching the security
> implications of MS PPTP. Can you explain why it is bad or point me to
some
> resources on the subject?
>
> Thanks
>
> -----Original Message-----
> From: Jason Reeves [mailto:[EMAIL PROTECTED]]
> Sent: Sunday, November 11, 2001 1:09 AM
> To: [EMAIL PROTECTED]
> Subject: Re: Outlook & FTP Passwords
>
> 3) Use a VPN of some type (but NOT Microsoft PPTP!).
--
James W. Meritt CISSP, CISA
Booz | Allen | Hamilton
phone: (410) 684-6566
