Firewall Wizards mailing list archives
RE: VPN through DSL - On the subject of PPTP
From: Patrick Darden <darden () armc org>
Date: Thu, 14 Mar 2002 08:56:30 -0500 (EST)
In addition, unless it has changed, PPTP uses a 40 bit session key.... Trivial to crack in real time. IPSEC allows use of 3DES at 156 bits (effectively.) -- --Patrick Darden Internetworking Manager -- 706.475.3312 darden () armc org -- Athens Regional Medical Center On Wed, 13 Mar 2002, Peter Lukas wrote:
On Wed, 13 Mar 2002, Behm, Jeffrey L. wrote:I am assuming you are using ipsec instead of a severely flawed protocol like PPTP.I hear people say this from time to time, but I have heard no one ever name an exploit that has taken advantage of the PPTP protocol (other than an exploit that takes advantage *before* the data is encypted, or *after* it is encrypted at the endpoints) Not that I am a Bill Gates fan, in fact, far from it, but what are the severe flaws that have been exploited?The original Microsoft PPTP attempt left much to be desired, and the second revision was fairly improved. It is by no means "perfect" in the peanut-gallery sense of the word, but has a number of advantages going for it, namely it's native to most every version of Windows and as simple for an end-user to set up as a dialup connection. Of course, it's subject to the same NAT problems as other VPN methods out there. The original problem was more with Microsoft's interpretation of PPTP and it's meager authentication scheme (MSCHAP). Dig the counterpane cryptanalysis here: http://www.counterpane.com/pptp.html The second attempt (MSCHAPv2) addressed the original concerns, but is still subject to similar security weaknesses as in most other plain vanilla passworded VPN mechanisms out there. When comparing PPTP to ipsec, they both do similar things. PPTP isn't best used at a gateway and much better for deployment across multiple end-users. Using a car analogy, it's like choosing to carpool with a Pinto or a Volvo. Peter _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: VPN through DSL, (continued)
- Re: VPN through DSL Yang Lee (Mar 13)
- RE: VPN through DSL Behm, Jeffrey L. (Mar 13)
- RE: VPN through DSL Peter Lukas (Mar 13)
- RE: VPN through DSL R. DuFresne (Mar 13)
- RE: VPN through DSL Peter Lukas (Mar 13)
- RE: VPN through DSL R. DuFresne (Mar 13)
- Re[2]: VPN through DSL Jason Ostrom (Mar 13)
- RE: VPN through DSL Peter Lukas (Mar 13)
- RE: VPN through DSL Tina Bird (Mar 13)
- RE: VPN through DSL - On the subject of PPTP Peter Lukas (Mar 13)
- RE: VPN through DSL - On the subject of PPTP Patrick Darden (Mar 14)
- RE: VPN through DSL Peter Lukas (Mar 13)
- RE: VPN through DSL Joe Keegan (Mar 13)
- RE: VPN through DSL Frederick M Avolio (Mar 15)