SecurityFocus

PPTP versus L2TP and possible attacks Feb 11 2004 07:19PM
James D. Stallard (james leafgrove com) (2 replies)

Re: PPTP versus L2TP and possible attacks Feb 12 2004 07:55PM
Patrick Power (ppower registrypro pro) (2 replies)

Actually L2TP is only a tunneling protocol. Is does not include any
encryption. L2TP makes a "virtual network" just not a "virtual private
network". L2TP is primarily used by Microsoft in conjunction with
Point-to-point IPSec, where IPSec provides the encrytpion part of it.

PPTP is a complete VPN on it's own. However, the last I read about it,
there were some pretty significant flaws in the design of the PPTP
protocal (not just bugs in implementation, but actually protocol design
flaws I believe) which made PPTP relatively easy to crack. IPSec on the
other hand has not has any such flaws yet discovered, and is *widely*
considered a very secure solution.

-Patrick

James D. Stallard wrote:
> Hi
>
> I have recently deployed a VPN Server using Microsoft RRAS. RRS is the
> preferred technology because there are few anticipated users and the
> software is free :)
>
> The VPN Server sits behind the corporate firewall and operates fine,
> accepting incoming connections reliably.
>
> I am rather new to the VPN game (I usually design Active Directory
> infrastructures) and set up both L2TP and PPTP protocols for convenience
> sake while the client pilots the solution. My questions are therefore:
>
> 1. Which is the better tunnelling protocol in terms of security and
> functionality, L2TP or PPTP, and why?
>
> 2. Is the community aware of any exploits that could be levelled against the
> firewall with the following ports opened to support VPNs?
>
> L2TP requires: Protocol 50, UDP 4500, UDP 500
> PPTP requires: Protocol 47, TCP 1723
>
> 3. Anything else I should know?
>
> All advice is appreciated
>
> Thanks in advance
> Regards
>
> James D. Stallard
>
>
>
> ------------------------------------------------------------------------
---
> Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
>
> Protect your network with the comprehensive security solution that
> integrates six applications for ease of use and lower TCO.
>
> Firewall - Virus protection - Spam protection - URL blocking - VPN
> - Wireless security.
>
> Download 30-day evaluation at:
> http://www.astaro.com/php/contact/securityfocus.php
> ------------------------------------------------------------------------
---
>
>

--
Patrick Power
Systems Engineer
RegistryPro, Inc.
+1-212-798-9113
ppower (at) registrypro (dot) pro [email concealed]

------------------------------------------------------------------------
---
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection

Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.

Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.

Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
------------------------------------------------------------------------
---

[ reply ]

RE: PPTP versus L2TP and possible attacks Feb 13 2004 05:30PM
Zachary Mutrux (zmutrux compumentor org) (1 replies)

RE: PPTP versus L2TP and possible attacks Feb 16 2004 04:17PM
Laura A. Robinson (larobins bellatlantic net)

Re: PPTP versus L2TP and possible attacks Feb 12 2004 09:00PM
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa pacbell net) (2 replies)

RE: PPTP versus L2TP and possible attacks - what next? Feb 14 2004 09:52PM
James D. Stallard (james leafgrove com)

Re: PPTP versus L2TP and possible attacks Feb 12 2004 09:30PM
Patrick Power (ppower registrypro pro) (1 replies)

RE: PPTP versus L2TP and possible attacks Feb 13 2004 11:46PM
Zachary Mutrux (zmutrux compumentor org)

Re: PPTP versus L2TP and possible attacks Feb 12 2004 03:16PM
Chris Gianelloni (wolf31o2 charter net)