It's a little pricey perhaps, but RedCreek (http://www.redcreek.com) has a
pretty slick solution. 3DES IPSec. Functionality about what you would expect
if you had used PPTP. A lot complicated to get setup because it's hardware
and software and the crypto is really good.
Ric Messier
Network Security Analyst
GTE Internetworking
powered by BBN
> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]]On Behalf Of Paul Gracy
> Sent: Monday, December 27, 1999 4:51 PM
> To: [EMAIL PROTECTED]
> Subject: RE: MS PPTP (Safe?) - alternative?
>
>
> I wasn't being defensive. I was simply pointing out that
> everybody says 'X
> stinks', but never gives a suggestion for something better. If you think
> PPTP is so bad and the MS guys can't code, then code something
> yourself and
> put it out for peer review. Maybe an open source equivalent to
> PPTP (IPSec
> based? PGP based? ) is the answer and if people spent their time
> working on
> that, instead of complaining about pptp, we'd have something usable.
>
> I am also well aware of the 'every defense can be broken, given
> enough time
> and money' and am also aware that every security solution is a balance of
> cost of security versus cost of intrusion. I'm serious about wanting to
> know specific alternatives to PPTP, their pros, cons, and pricetags.
>
> People say IPSec, but until very recently (last 3-6 months), there was
> almost no IPSec software available that was the equivalent in
> functionality
> to PPTP. I found a PGP VPN software at NAI.com today and am going to test
> that and am trying to get a cisco vpn client for testing with
> their pix, and
> maybe that's the solution. We'll see. Anybody have any other specific
> suggestions?
>
> -----Original Message-----
> From: Bob Dolliver [mailto:[EMAIL PROTECTED]]
> Sent: Monday, December 27, 1999 2:37 PM
> To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Subject: RE: MS PPTP (Safe?) - alternative?
>
>
>
> Microsoft has improved the security of the PPTP protocol to
> correct some of
> the major weaknesses in the previous MSCHAP version 1, precisely because
> other networks professionals pointed out weaknesses in the
> protocol after a
> professional peer review. However the encryption strength of the MS-PPTP
> still wholly relies on the password chosen by the users. As we all know
> password based encryption schemes are open to dictionary and distributed
> resource attacks. The point is not to bitch about anything, it is simply
> pointing out that anyone interested in designing a secure VPN may
> have much
> better choices than the MS PPTP protocol. L2TP with IPSec in
> transport mode
> for example- if a VPN must support legacy networks, if the house
> is IP than
> IPSec is the most logical choice. Professionals need to have this distrust
> of their own work as well as the work of others, to participate in an
> objective peer review system, no need to get defensive. As others have
> pointed out already, the details of the deficiencies of the
> MS-PPTP protocol
> can be found at www.counterpane.com
>
> Regards
>
>
> Robert Dolliver
>
>
>
> Educational Services
>
> Nortel Networks
>
> 1 Federal St.
>
> Billerica Ma
>
> PGP users my key server is located at:
>
> pgpkeys.mit.edu
>
> my key hash is:
>
> 71DD 037B AE30 C046 9D3B 795B D9CB 248D 44F0 1895
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> Sent: Monday, December 27, 1999 12:22 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: MS PPTP (Safe?) - alternative?
>
> This should instigate an interesting discussion. As I too am in a
> Microsoft
> shop, I would also be interested in some constructive answers to Paul's
> questions.
>
> > ----------
> > From: Paul Gracy[SMTP:[EMAIL PROTECTED]]
> > Sent: Monday, December 27, 1999 8:01 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: MS PPTP (Safe?) - alternative?
> >
> > Since I'm an engineer and just want to get some done from home...
> >
> > Ok. So a bunch of people dislike PPTP (version 1 and 2). But
> nobody has
> > offered a constructive comment. So kindly do so, or quit your
> bitchin'.
> >
> > Constructive comments are defined in my world as 1 of these 3 things:
> > 1) Do this and pptp is as safe as it gets. Your level of risk is X.
> > Knowing this, use or don't, as you choose.
> > 2) Use protocol / software XYZ as a replacement for PPTP; it only costs
> > x$.
> > 3) "I've written a replacement; source and binaries are available at
> > www.____.___/pptp_replacement.html. Please perform peer review
> and let me
>
> > know if you find any bugs."
> >
> > I'm waiting.......
> >
> > -----Original Message-----
> > From: Brian Steele [ mailto:[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]> ]
> > Sent: Tuesday, December 14, 1999 11:34 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: MS PPTP (Safe?)
> >
> >
> > ...and you can do this without being first authenticated by the
> NT server
> > providing the VPN service?
> >
> > Brian Steele
> >
> >
> > ----- Original Message -----
> > From: <[EMAIL PROTECTED]>
> > To: "Jimi Aleshin" <[EMAIL PROTECTED]>
> > Cc: "J. T. B." <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> > Sent: Tuesday, December 14, 1999 9:44 AM
> > Subject: Re: MS PPTP (Safe?)
> >
> >
> > >
> > >
> > >
> > > One thing to remember, protocol 47 is GRE (Generic Route
> Encapsulation).
>
> > > Remember the days of disabling
> > > Source Route Forwarding at the TCP Layer ????
> > > GRE is in it's basic form, the very same thing at the IP layer.
> > >
> > > What does this mean ????
> > >
> > > Well, I could send a GRE packet that contains another protocol in its
> > payload.
> > > This could be, for example, NETBIOS.
> > > I could then use a GRE stream to browse your Windows NT domain.
> > >
> > > Please review RFC 1702 paying strong attention to the section on IP
> > Source
> > Route
> > >
> > > http://www.ietf.org/rfc/rfc1702.txt
> <http://www.ietf.org/rfc/rfc1702.txt>
> > >
> > > After you read the RFC, you may want to consider the risks associated
> > with
> > it.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > "Jimi Aleshin" <[EMAIL PROTECTED]> on 12/13/99 05:45:38 PM
> > >
> > > Please respond to "Jimi Aleshin" <[EMAIL PROTECTED]>
> > >
> > > To: "J. T. B." <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> > > cc: (bcc: Jerry Kendall/Inc/Celestica)
> > >
> > > Subject: Re: MS PPTP (Safe?)
> > >
> > >
> > >
> > >
> > > It is an implementation of PPP over TCP. This means that a user must
> > already
> > > have an Internet connection. The technology creates a second
> virtual PPP
>
> > > network adapter. By using the native PPP authentication and
> encryption
> > > services, the technology is easily implemented using existing
> > technology.
> > > Originally developed by Microsoft, U.S. Robotics (now 3Com),
> Ascend, and
>
> > > other remote access companies.
> > > In 1998, a severe flaw was found in PPTP's authentication
> scheme. This
> > was
> > > fixed in MS-CHAP V2 of Microsoft's implementation.
> > > When setting up a PPTP server, you must enable port 1723 and
> protocol 47
>
> > > through the firewall.
> > > So try it out.
> > >
> > > /Jimi Aleshin
> > > Mail: [EMAIL PROTECTED]
> > > ICQ: 26180172
> > >
> > > ----- Original Message -----
> > > From: J. T. B.
> > > To: [EMAIL PROTECTED]
> > > Sent: Monday, December 13, 1999 01:09 PM
> > > Subject: MS PPTP (Safe?)
> > >
> > >
> > >
> > > I'm looking at building a secure VPN and was wondering if Microsoft's
> > PPTP
> > > was any good? I had heard some very bad things about it. Have they
> > cleaned
> > > it up, or should I look elsewhere?
> > >
> > > Thanks!
> > >
> > > ______________________________________________________
> > > Get Your Private, Free Email at http://www.hotmail.com
> <http://www.hotmail.com>
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > >
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
