Firewall Wizards mailing list archives
RE: VPN through DSL - On the subject of PPTP
From: "Behm, Jeffrey L." <BehmJL () bvsg com>
Date: Thu, 14 Mar 2002 09:13:36 -0600
Unless I misread somewhere, these are articles and/or examples about how one *could* break in, but back to my original question...
I have heard no one ever name an exploit
(perhaps I should have been more clear...I have seen no one name an actual exploit _outside_ a lab environment) I'm not into security by obscurity, either, and just because no one has exploited it _yet_ (or at least not to my limited scope of knowledge on exploits), doesn't mean there is not a risk, but I think the protocol is overhyped on the exploitability (is that a word?) in real time in real networks where people are doing real work. Thanks for listening...My last statements on the subject.
-----Original Message----- From: Patrick Darden [mailto:darden () armc org] Sent: Thursday, March 14, 2002 7:57 AM To: Peter Lukas Cc: Behm, Jeffrey L.; firewall-wizards () nfr com Subject: RE: [fw-wiz] VPN through DSL - On the subject of PPTP In addition, unless it has changed, PPTP uses a 40 bit session key.... Trivial to crack in real time. IPSEC allows use of 3DES at 156 bits (effectively.) -- --Patrick Darden Internetworking Manager -- 706.475.3312 darden () armc org -- Athens Regional Medical Center On Wed, 13 Mar 2002, Peter Lukas wrote:On Wed, 13 Mar 2002, Behm, Jeffrey L. wrote:I am assuming you are using ipsec instead of a severely flawed protocol like PPTP.I hear people say this from time to time, but I haveheard no one ever namean exploit that has taken advantage of the PPTP protocol(other than anexploit that takes advantage *before* the data isencypted, or *after* it isencrypted at the endpoints) Not that I am a Bill Gates fan, in fact, far from it, butwhat are thesevere flaws that have been exploited?The original Microsoft PPTP attempt left much to be desired, and the second revision was fairly improved. It is by no means"perfect" in thepeanut-gallery sense of the word, but has a number ofadvantages going forit, namely it's native to most every version of Windows andas simple foran end-user to set up as a dialup connection. Of course,it's subject tothe same NAT problems as other VPN methods out there. The original problem was more with Microsoft'sinterpretation of PPTP andit's meager authentication scheme (MSCHAP). Dig the counterpane cryptanalysis here: http://www.counterpane.com/pptp.html The second attempt (MSCHAPv2) addressed the originalconcerns, but isstill subject to similar security weaknesses as in most other plain vanilla passworded VPN mechanisms out there. When comparing PPTP to ipsec, they both do similar things.PPTP isn'tbest used at a gateway and much better for deploymentacross multipleend-users. Using a car analogy, it's like choosing tocarpool with a Pintoor a Volvo. Peter _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: VPN through DSL - On the subject of PPTP Behm, Jeffrey L. (Mar 14)