RE: PPTP risks?

[Ben Nagy <bnagy () cpms com au>]

[Skip to the bottom for the Reader's Digest version]

Well...um.

Go read Schneier and l0pht on PPTP - AFAIK it's the best (only) independant
cryptographic review of PPTPv2.

You can get there from www.l0pht.com

To summarise, from memory, there are some major problems. The paper goes a
little overboard into black-helicopter territory, but the actual
cryptanalysis is real and checkable. If you don't want to dig up the paper
and are happy to trust my dodgy memory, the major problems are:

MS-CHAPv2 sucks a bit - a patient attacker with the ability to sniff your
link can feasibly break it. This means that they can easily recover your
MPPE keys (the keys that are actually used to encrypt your data).

The MPPE keys are based on user passwords. This reduces the "entropy"
(randomness)of the keys. I guess. It looks to me like this depends on if you
trust SHA to be a cryptographically secure hash. However, it's certainly
going to be vulnerable to a password guessing attack.

The export version (teeny 40 bit keys) is even worse than it looks. A known
plaintext attack makes it about as effective as, say, eakingspay ikelay
isthay.

In other words, PPTP is really no more than obfuscation, if you're dealing
with data that people could be bothered to try and intercept / crack.

The endpoints have been firmed up a fair bit, but there are still potential
attacks against them. If it were me, I would recommend that the PPTP
endpoints live in a DMZ.

I'm not convinced about the risks of allowing GRE into your network. As for
the possibility of someone tunneling data - that's what it's designed for.
;)

[Condensed Version]

PPTP crypto sucks a fair bit. Don't use it if you think that there's a
chance of anyone with a clue caring about your data.

There is probably a slight risk of PPTP introducing security problems, but
I've not seen any attacks against the PPTP endpoints themselves that strong
passwords won't fix. This does NOT mean that such attacks don't exist.

Use a stronger VPN solution if you can afford it and you care.

--
Ben Nagy
Network Consultant, CPM&S Group of Companies
PGP Key ID: 0x1A86E304  Mobile: +61 414 411 520  

> -----Original Message-----
> From: Mike Barkett [mailto:mbarkett () digex net]
> Sent: Friday, 4 February 2000 11:34 AM
> To: O'Dell Mike
> Cc: 'owner-firewall-wizards () lists nfr net'
> Subject: Re: PPTP risks?
>
>
> PPTP is a bidirectional protocol, and as such, it requires 
> that you allow
> return packets back through the firewall.  This also means you have to
> have a static NAT in place for the client machine.  
>
> The risks involved in this are all the normal risks involved 
> in allowing
> an entire IP type (GRE) through the firewall from the outside...  I
> suppose someone could fairly easily engineer a tunneling 
> exploit for this,
> but PPTP really poses more :annoyances: than risks.
>
> -MAB
>
> -- 
>  ,.........................................
> :   Michael A. Barkett
> :  Senior Staff Engineer IV, SMC (x6363)
> : mbarkett () digex net  
> :  301.847.7180       ,....................
> :   FW./\/.          : i n t e r m e d i a
> '....................'   BUSINESS INTERNET
>
>
>
>
> On Thu, 3 Feb 2000, O'Dell Mike wrote:
>
> OM>Date: Thu, 3 Feb 2000 07:27:57 -0800 
> OM>From: O'Dell Mike <modell () iclretail com>
> OM>To: "'owner-firewall-wizards () lists nfr net'"
> OM>    <owner-firewall-wizards () lists nfr net>
> OM>Subject: PPTP risks?
> OM>
> OM>Can someone explain what sort of risk is involved in 
> allowing PPTP sessions
> OM>to be initiated from within out firewall, if any?
> OM>
> OM>Thanks,
> OM>
> OM>> Mike 
> OM>