Firewall Wizards mailing list archives

Re: NT WAN

From: "Kevin T. Shivers" <kts () clark net>
Date: Tue, 27 Jul 1999 10:31:37 -0400 (EDT)

On Mon, 26 Jul 1999, Neil Ratzlaff wrote:

I am looking for some strong reasons to refuse to allow an NT WAN through
the firewall.

There is a department here that wants to set up a wide area network of
several NT machines scattered over several states.  All they have said they
want is to share files and printing.  One of the local hosts would be
behind the firewall, and they wanted to know how to get through the
firewall, so I got called in.  I manage the firewall, but I don't do policy
of any kind.  I assume they would at least use PPTP, but I read recently
that although M$ improved it, it still is not very secure.


You are 100% correct.  Bruce Schneier and Dr. Mudge wrote a really good
paper that you probably know about, showing how bad PPTP was.  They
recently wrote another paper on the strengths and weaknesses in the new
PPTP extensions to make it more secure (MS-CHAPv2).  The paper can be
found at: http://www.counterpane.com/pptpv2-paper.html .  The conclusion
of the paper states that "Microsoft has improved PPTP to correct the major
security weaknesses described in [their previous paper]. However, the
fundamental weakness of the authentication and encryption protocol is that
it is only as secure as the password chosen by the user." The paper also
goes to say that IPSec is a much better idea, so you may want to look at
IPSec solutions for NT.  PGPNet VPN stuff may also be something to look
into.  I haven't used it yet, but some of my co-workers have and they
really like it. You can find that somewhere off of NAI's web site.

Is there some paper somewhere that I can point to that shows why this is a
bad idea?   Perhaps vulnerabilities that can't be patched?  I appreciate
any help anyone can provide.


Like I listed above, http://www.counterpane.com/pptpv2-paper.html has the
most up to date info on PPTP, but http://www.counterpane.com/pptp.html
also has some good information.  I'd also recommend looking at the
NTBugTraq archives at http://www.ntbugtraq.com/ .  

kts

--
Kevin T. Shivers                NT & UNIX Security Consultant
Shivers Consulting               http://www.clark.net/pub/kts
kts () clark net

Current thread:

NT WAN Neil Ratzlaff (Jul 27)
- Re: NT WAN mritenburg (Jul 27)
- Re: NT WAN Kevin T. Shivers (Jul 27)
- <Possible follow-ups>
- re: Re: NT WAN MHurlburt (Jul 29)