Well here are a couple suggestions for something that I feel is better.
Aventail and Info Express both make VPN clients that run over SSL. They are
not IPSEC, but SSL will run through most firewalls TODAY. I believe both of
them have clients and servers that run on Solaris, NT, even Linux. The
advantage of SSL over IPSEC (right now) is that it will go through most
firewalls with a minimum of difficulty, as opposed to IPSEC and PPTP which
often (but not always) choke on things like NAT.
Disclaimer: I do not own stock in either company, unless its through my
mutual funds. If you think I represent KPMG in any official capacity you
take life much to seriously.
On Monday, December 27, 1999 4:51 PM, Paul Gracy
[SMTP:[EMAIL PROTECTED]] wrote:
> I wasn't being defensive. I was simply pointing out that everybody says
'X
> stinks', but never gives a suggestion for something better. If you think
> PPTP is so bad and the MS guys can't code, then code something yourself
and
> put it out for peer review. Maybe an open source equivalent to PPTP
(IPSec
> based? PGP based? ) is the answer and if people spent their time working
on
> that, instead of complaining about pptp, we'd have something usable.
>
> I am also well aware of the 'every defense can be broken, given enough
time
> and money' and am also aware that every security solution is a balance of
> cost of security versus cost of intrusion. I'm serious about wanting to
> know specific alternatives to PPTP, their pros, cons, and pricetags.
>
> People say IPSec, but until very recently (last 3-6 months), there was
> almost no IPSec software available that was the equivalent in
functionality
> to PPTP. I found a PGP VPN software at NAI.com today and am going to test
> that and am trying to get a cisco vpn client for testing with their pix,
and
> maybe that's the solution. We'll see. Anybody have any other specific
> suggestions?
>
> -----Original Message-----
> From: Bob Dolliver [mailto:[EMAIL PROTECTED]]
> Sent: Monday, December 27, 1999 2:37 PM
> To: '[EMAIL PROTECTED]'; [EMAIL PROTECTED];
[EMAIL PROTECTED]
> Subject: RE: MS PPTP (Safe?) - alternative?
>
>
>
> Microsoft has improved the security of the PPTP protocol to correct some
of
> the major weaknesses in the previous MSCHAP version 1, precisely because
> other networks professionals pointed out weaknesses in the protocol after
a
> professional peer review. However the encryption strength of the MS-PPTP
> still wholly relies on the password chosen by the users. As we all know
> password based encryption schemes are open to dictionary and distributed
> resource attacks. The point is not to bitch about anything, it is simply
> pointing out that anyone interested in designing a secure VPN may have
much
> better choices than the MS PPTP protocol. L2TP with IPSec in transport
mode
> for example- if a VPN must support legacy networks, if the house is IP
than
> IPSec is the most logical choice. Professionals need to have this distrust
> of their own work as well as the work of others, to participate in an
> objective peer review system, no need to get defensive. As others have
> pointed out already, the details of the deficiencies of the MS-PPTP
protocol
> can be found at www.counterpane.com
>
> Regards
>
>
> Robert Dolliver
>
>
>
> Educational Services
>
> Nortel Networks
>
> 1 Federal St.
>
> Billerica Ma
>
> PGP users my key server is located at:
>
> pgpkeys.mit.edu
>
> my key hash is:
>
> 71DD 037B AE30 C046 9D3B 795B D9CB 248D 44F0 1895
>
> -----Original Message-----
> From: [EMAIL PROTECTED] [SMTP:[EMAIL PROTECTED]]
> Sent: Monday, December 27, 1999 12:22 PM
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
> Subject: RE: MS PPTP (Safe?) - alternative?
>
> This should instigate an interesting discussion. As I too am in a
> Microsoft
> shop, I would also be interested in some constructive answers to Paul's
> questions.
>
> > ----------
> > From: Paul Gracy[SMTP:[EMAIL PROTECTED]]
> > Sent: Monday, December 27, 1999 8:01 AM
> > To: [EMAIL PROTECTED]
> > Subject: RE: MS PPTP (Safe?) - alternative?
> >
> > Since I'm an engineer and just want to get some done from home...
> >
> > Ok. So a bunch of people dislike PPTP (version 1 and 2). But nobody
has
> > offered a constructive comment. So kindly do so, or quit your bitchin'.
> >
> > Constructive comments are defined in my world as 1 of these 3 things:
> > 1) Do this and pptp is as safe as it gets. Your level of risk is X.
> > Knowing this, use or don't, as you choose.
> > 2) Use protocol / software XYZ as a replacement for PPTP; it only costs
> > x$.
> > 3) "I've written a replacement; source and binaries are available at
> > www.____.___/pptp_replacement.html. Please perform peer review and let
me
>
> > know if you find any bugs."
> >
> > I'm waiting.......
> >
> > -----Original Message-----
> > From: Brian Steele [ mailto:[EMAIL PROTECTED]
> <mailto:[EMAIL PROTECTED]> ]
> > Sent: Tuesday, December 14, 1999 11:34 AM
> > To: [EMAIL PROTECTED]
> > Subject: Re: MS PPTP (Safe?)
> >
> >
> > ...and you can do this without being first authenticated by the NT
server
> > providing the VPN service?
> >
> > Brian Steele
> >
> >
> > ----- Original Message -----
> > From: <[EMAIL PROTECTED]>
> > To: "Jimi Aleshin" <[EMAIL PROTECTED]>
> > Cc: "J. T. B." <[EMAIL PROTECTED]>; <[EMAIL PROTECTED]>
> > Sent: Tuesday, December 14, 1999 9:44 AM
> > Subject: Re: MS PPTP (Safe?)
> >
> >
> > >
> > >
> > >
> > > One thing to remember, protocol 47 is GRE (Generic Route
Encapsulation).
>
> > > Remember the days of disabling
> > > Source Route Forwarding at the TCP Layer ????
> > > GRE is in it's basic form, the very same thing at the IP layer.
> > >
> > > What does this mean ????
> > >
> > > Well, I could send a GRE packet that contains another protocol in its
> > payload.
> > > This could be, for example, NETBIOS.
> > > I could then use a GRE stream to browse your Windows NT domain.
> > >
> > > Please review RFC 1702 paying strong attention to the section on IP
> > Source
> > Route
> > >
> > > http://www.ietf.org/rfc/rfc1702.txt
> <http://www.ietf.org/rfc/rfc1702.txt>
> > >
> > > After you read the RFC, you may want to consider the risks associated
> > with
> > it.
> > >
> > >
> > >
> > >
> > >
> > >
> > >
> > > "Jimi Aleshin" <[EMAIL PROTECTED]> on 12/13/99 05:45:38 PM
> > >
> > > Please respond to "Jimi Aleshin" <[EMAIL PROTECTED]>
> > >
> > > To: "J. T. B." <[EMAIL PROTECTED]>, [EMAIL PROTECTED]
> > > cc: (bcc: Jerry Kendall/Inc/Celestica)
> > >
> > > Subject: Re: MS PPTP (Safe?)
> > >
> > >
> > >
> > >
> > > It is an implementation of PPP over TCP. This means that a user must
> > already
> > > have an Internet connection. The technology creates a second virtual
PPP
>
> > > network adapter. By using the native PPP authentication and encryption
> > > services, the technology is easily implemented using existing
> > technology.
> > > Originally developed by Microsoft, U.S. Robotics (now 3Com), Ascend,
and
>
> > > other remote access companies.
> > > In 1998, a severe flaw was found in PPTP's authentication scheme. This
> > was
> > > fixed in MS-CHAP V2 of Microsoft's implementation.
> > > When setting up a PPTP server, you must enable port 1723 and protocol
47
>
> > > through the firewall.
> > > So try it out.
> > >
> > > /Jimi Aleshin
> > > Mail: [EMAIL PROTECTED]
> > > ICQ: 26180172
> > >
> > > ----- Original Message -----
> > > From: J. T. B.
> > > To: [EMAIL PROTECTED]
> > > Sent: Monday, December 13, 1999 01:09 PM
> > > Subject: MS PPTP (Safe?)
> > >
> > >
> > >
> > > I'm looking at building a secure VPN and was wondering if Microsoft's
> > PPTP
> > > was any good? I had heard some very bad things about it. Have they
> > cleaned
> > > it up, or should I look elsewhere?
> > >
> > > Thanks!
> > >
> > > ______________________________________________________
> > > Get Your Private, Free Email at http://www.hotmail.com
> <http://www.hotmail.com>
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > >
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
*****************************************************************************
The information in this email is confidential and may be legally privileged.
It is intended solely for the addressee. Access to this email by anyone else
is unauthorized.
If you are not the intended recipient, any disclosure, copying, distribution
or any action taken or omitted to be taken in reliance on it, is prohibited
and may be unlawful. When addressed to our clients any opinions or advice
contained in this email are subject to the terms and conditions expressed in
the governing KPMG client engagement letter.
*****************************************************************************
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
