Quite a while. On doing more research just now, I find that a collection
of Microsoft patches and a protocol rewrite have solved most of the
issues. My apologies, I should have done more homework before I posted
some dis-information.
Here's a nice reference:
http://www.schneier.com/pptp.html
For historical interest, here is a summary of the older research that I
read back when PPTP was still severely broken:
http://www.schneier.com/pptp-faq.html
-Patrick
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> And when was the last time you read that?
>
> Watch the security week webcast with Jesper Johannson
> www.microsoft.com/webcasts and he talks about the truth/hype of PPtP.
>
> Patrick Power wrote:
>
>> Actually L2TP is only a tunneling protocol. Is does not include any
>> encryption. L2TP makes a "virtual network" just not a "virtual private
>> network". L2TP is primarily used by Microsoft in conjunction with
>> Point-to-point IPSec, where IPSec provides the encrytpion part of it.
>>
>> PPTP is a complete VPN on it's own. However, the last I read about it,
>> there were some pretty significant flaws in the design of the PPTP
>> protocal (not just bugs in implementation, but actually protocol
>> design flaws I believe) which made PPTP relatively easy to crack.
>> IPSec on the other hand has not has any such flaws yet discovered, and
>> is *widely* considered a very secure solution.
>>
>> -Patrick
>>
>>
>> James D. Stallard wrote:
>>
>>> Hi
>>>
>>> I have recently deployed a VPN Server using Microsoft RRAS. RRS is the
>>> preferred technology because there are few anticipated users and the
>>> software is free :)
>>>
>>> The VPN Server sits behind the corporate firewall and operates fine,
>>> accepting incoming connections reliably.
>>>
>>> I am rather new to the VPN game (I usually design Active Directory
>>> infrastructures) and set up both L2TP and PPTP protocols for convenience
>>> sake while the client pilots the solution. My questions are therefore:
>>>
>>> 1. Which is the better tunnelling protocol in terms of security and
>>> functionality, L2TP or PPTP, and why?
>>>
>>> 2. Is the community aware of any exploits that could be levelled
>>> against the
>>> firewall with the following ports opened to support VPNs?
>>>
>>> L2TP requires: Protocol 50, UDP 4500, UDP 500
>>> PPTP requires: Protocol 47, TCP 1723
>>>
>>> 3. Anything else I should know?
>>>
>>> All advice is appreciated
>>>
>>> Thanks in advance
>>> Regards
>>>
>>> James D. Stallard
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
---
>>>
>>> Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
>>>
>>> Protect your network with the comprehensive security solution that
>>> integrates six applications for ease of use and lower TCO.
>>>
>>> Firewall - Virus protection - Spam protection - URL blocking - VPN -
>>> Wireless security.
>>>
>>> Download 30-day evaluation at:
>>> http://www.astaro.com/php/contact/securityfocus.php
>>> ------------------------------------------------------------------------
---
>>>
>>>
>>>
>>
>
--
Patrick Power
Systems Engineer
RegistryPro, Inc.
+1-212-798-9113
ppower (at) registrypro (dot) pro [email concealed]
------------------------------------------------------------------------
---
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.
of Microsoft patches and a protocol rewrite have solved most of the
issues. My apologies, I should have done more homework before I posted
some dis-information.
Here's a nice reference:
http://www.schneier.com/pptp.html
For historical interest, here is a summary of the older research that I
read back when PPTP was still severely broken:
http://www.schneier.com/pptp-faq.html
-Patrick
Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:
> And when was the last time you read that?
>
> Watch the security week webcast with Jesper Johannson
> www.microsoft.com/webcasts and he talks about the truth/hype of PPtP.
>
> Patrick Power wrote:
>
>> Actually L2TP is only a tunneling protocol. Is does not include any
>> encryption. L2TP makes a "virtual network" just not a "virtual private
>> network". L2TP is primarily used by Microsoft in conjunction with
>> Point-to-point IPSec, where IPSec provides the encrytpion part of it.
>>
>> PPTP is a complete VPN on it's own. However, the last I read about it,
>> there were some pretty significant flaws in the design of the PPTP
>> protocal (not just bugs in implementation, but actually protocol
>> design flaws I believe) which made PPTP relatively easy to crack.
>> IPSec on the other hand has not has any such flaws yet discovered, and
>> is *widely* considered a very secure solution.
>>
>> -Patrick
>>
>>
>> James D. Stallard wrote:
>>
>>> Hi
>>>
>>> I have recently deployed a VPN Server using Microsoft RRAS. RRS is the
>>> preferred technology because there are few anticipated users and the
>>> software is free :)
>>>
>>> The VPN Server sits behind the corporate firewall and operates fine,
>>> accepting incoming connections reliably.
>>>
>>> I am rather new to the VPN game (I usually design Active Directory
>>> infrastructures) and set up both L2TP and PPTP protocols for convenience
>>> sake while the client pilots the solution. My questions are therefore:
>>>
>>> 1. Which is the better tunnelling protocol in terms of security and
>>> functionality, L2TP or PPTP, and why?
>>>
>>> 2. Is the community aware of any exploits that could be levelled
>>> against the
>>> firewall with the following ports opened to support VPNs?
>>>
>>> L2TP requires: Protocol 50, UDP 4500, UDP 500
>>> PPTP requires: Protocol 47, TCP 1723
>>>
>>> 3. Anything else I should know?
>>>
>>> All advice is appreciated
>>>
>>> Thanks in advance
>>> Regards
>>>
>>> James D. Stallard
>>>
>>>
>>>
>>> ------------------------------------------------------------------------
---
>>>
>>> Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
>>>
>>> Protect your network with the comprehensive security solution that
>>> integrates six applications for ease of use and lower TCO.
>>>
>>> Firewall - Virus protection - Spam protection - URL blocking - VPN -
>>> Wireless security.
>>>
>>> Download 30-day evaluation at:
>>> http://www.astaro.com/php/contact/securityfocus.php
>>> ------------------------------------------------------------------------
---
>>>
>>>
>>>
>>
>
--
Patrick Power
Systems Engineer
RegistryPro, Inc.
+1-212-798-9113
ppower (at) registrypro (dot) pro [email concealed]
------------------------------------------------------------------------
---
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that
integrates six applications for ease of use and lower TCO.
Firewall - Virus protection - Spam protection - URL blocking - VPN
- Wireless security.
Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
------------------------------------------------------------------------
---
[ reply ]