RE: VPN through DSL - On the subject of PPTP

[Peter Lukas <plukas () oss uswest net>]

On Wed, 13 Mar 2002, Behm, Jeffrey L. wrote:
> > I am assuming you are using ipsec instead of a severely
> > flawed protocol
> > like PPTP.
> I hear people say this from time to time, but I have heard no one ever name
> an exploit that has taken advantage of the PPTP protocol (other than an
> exploit that takes advantage *before* the data is encypted, or *after* it is
> encrypted at the endpoints)
>
> Not that I am a Bill Gates fan, in fact, far from it, but what are the
> severe flaws that have been exploited?

The original Microsoft PPTP attempt left much to be desired, and the
second revision was fairly improved. It is by no means "perfect" in the
peanut-gallery sense of the word, but has a number of advantages going for
it, namely it's native to most every version of Windows and as simple for
an end-user to set up as a dialup connection. Of course, it's subject to
the same NAT problems as other VPN methods out there.

The original problem was more with Microsoft's interpretation of PPTP and
it's meager authentication scheme (MSCHAP). Dig the counterpane
cryptanalysis here:
http://www.counterpane.com/pptp.html

The second attempt (MSCHAPv2) addressed the original concerns, but is
still subject to similar security weaknesses as in most other plain
vanilla passworded VPN mechanisms out there.

When comparing PPTP to ipsec, they both do similar things. PPTP isn't
best used at a gateway and much better for deployment across multiple
end-users. Using a car analogy, it's like choosing to carpool with a Pinto
or a Volvo.

Peter

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://list.nfr.com/mailman/listinfo/firewall-wizards