Re: PPTP viability (was RE: Gauntlet & NTLM)

[Jyri Kaljundi <jk () stallion ee>]

On Wed, 15 Oct 1997, Craig Brozefsky wrote:

> May I suggest you check out SafePassage Secure Tunnel from www.c2.net, 
> the people who do Stronghold (SSLed Apache).  It runs as a seperate 
> process and is basically a port forwarder.  

The problem with port forwarders like SSH and all the SSLeay based Windows
clients (SSR, Safepassage and many others) is that they are really
uncomfortable to use - you have to connect to something like
localhost:8193 instead of easy to use www.company.com or
telnetserver.company.com. The bigger problem is that they usually support
only fixed TCP port applications - not UDP, not FTP, not SQL*Net v.2. 
These programs are meant to be only a temporary solution until something
better comes available.

Then of course all the US and Israel firewall vendors have nice
transparent (although proprietary) solutions available, but none of them
are available outside US (well there are 40-bit versions but nobody uses
these anyway). 

I hope European vendors will have their transparent encryption VPN
programs available at least at the beginning of next year. This is good
for users, but bad for firewalls, since that day everyone will have full
easy to use two-direction encryption available to go through the
firewalls. It is not so bad for application layer firewalls (if they are
correctly implemented, don't allow clear TCP communications through
proxies and don't have any null tunnels implemented), but for stateful
inspection firewalls it is something to think about.

Jyri Kaljundi
jk () stallion ee
AS Stallion Ltd
http://www.stallion.ee/