Re: PPTP VERY long & strong passwords - Strong enough ?

[Micheal Espinola Jr <michealespinola () gmail com>]

1.  Yes.
2.  Not that I have seen.
3.  Not in an automated fashion, if thats what you are asking. But any
Cert can be exported/imported manually.
4.  Not sure, nor have I heard of that issue before. Are you sure you
have BlackIce configured properly?



On 1 Mar 2005 14:01:09 -0000, bla bla <poizen_ () hotmail com> wrote:
> Hi !
>
> 4 questions:
>
> 1. I use Win2003 PPTP VPN. I've gone through some of past posts & replies regarding PPTP (MS-CHAPv2) and came across 
> this:
>
> "Finally, I want to state this: using long, very random password moves
> the PPTP attacks from the realm of the practical back into the
> theoretical. TO be sure, PPTP is 65,000 times easier to crack because of
> a flaw in the authentication protocol. But if you use 12-character (out
> of 95 "type-able" ASCII characters) randomly-generated passwords, you
> get about 2^79 possible combinations. Even with the 2^16 advantage the
> flaw in PPTP provides, it is still impractical for anyone to break the
> tunnel without tens of millions of dollars in investment. The NSA or
> distributed.net could break it in a few months, but that's about the
> only adversaries you'd need to worry about."
>
> Link: http://www.securityfocus.com/archive/50/330874/2005-02-26/2005-03-04/2
>
> Do you guys agree ?
> Are there any other (then weak\small passwords) exploits I should be aware of ?
> BTW, all vpn accounts set to "never expired" so that any possible "renew password" hack for stealing passwords can 
> ever take place (passwords will be changed manually on a monthly basis-it's only ment for a few users).
> Also disabled this via the rras policy.
>
> 2. Are there any patches\fixes in Win2003 SP1 (ETA 28/3/05) concerning this ? has anybody encountered any problems in 
> the SP1 beta2 ?
>
> 3. Does anybody know of a hack that will allow to map certificates to user account WITHOUT active directory (the 
> server is a stand alone\not in a domain env.) ?
>
> 4. I'm also using ISS Blackice (Host IDS+Firewall, ver 3.6coa) on that server (I know-it's not supported by ISS on 
> Win2003, bla bla bla...). it works great with pptp but intercepts l2tp\ipsec (MS-CHAPv2) login attempts as 
> UDP_SHORT_HEADER and UDP_PROBE_OTHER intrusions (the vpn host is xpsp1). I've tried opening all the relevant ports + 
> configuring the app to ignore these type of intrusions + trusting all communication from the vpn host ip, but to no 
> avail. only stopping the firewall does the trick.
> Any thoughts ?
> Does Blackice has a forum somewhere ?
>
> Thnaks guys !


-- 
ME2

my home: <http://www.santeriasys.net/>
my photos: <http://mespinola.blogspot.com/>