Paul Gracy wrote:
>
> Someone asked what my communication needs are. Fair enough.
>
> I need to be able to map NT drive shares, communicate with an Exchange
> server, communicate with a Microsft SQL server, communicate with an Oracle
> server, telnet to unix hosts, and browse the intranet web site. Essentially
> I need to be able to make my NT computer at home think, and act, pretty much
> like it is on the network at work. Thus, NetBEUI is not required because we
> are an all IP shop, but NetBIOS over TCP/IP probably is.
>
> I need my traffic(work bits after connecting) and my connection(password
> bits) to be encrypted against prying eyes on the internet.
>
> Anything else?
>
What type of budget do you have? How concerned are you with the
security/integreity of the solution? How valuable is your data?
The real issue with any type of security solution is based on the value
you place on your assets. If you place a high value on your assets, do
your best to protect them. Can you really look at you boss and tell him
that PPTP is a "best" solution for you needs? Bruce's paper otlined many
areas where MS-PPTP is very, very broken.
Is it wise to use a security product that is at the very least
"questionable"? If your assets are valuable, is it not much wiser to
find a solution that is more trustworthy?
You ask about level of risk... no one can answer that for you. You have
to determine how valuable your assets are (data, network resources, time
spent dealing with intrusion, etc.). Once you determine how valuable
your assets are, figure out if MS-PPTP is enough to protect you. If it
is, use it... if it's not then find a real solution, something IPSEC
could be very nice.
When one reviews Microsoft's record in the encryption field (the very
recent discovery of the poor encryption on the SAM, LANMAN Hash, the v.1
of MS-PPTP, etc) it becomes difficult to trust their "crypto experts".
Is PPTP v.2 secure? Is it a good solution? I'll never know, the record
is enough for me to base my decision on. If someone uses bad crypto in
three products I won't use their fourth crypto product.
As for alternatives, the small IPSEC CISCO routers work well. (My CISCO
Rep stopped by and said you could probably get a 1700 series IPSEC
solution for ~$1100 or less....
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
