I think that we're coming from the same page. Most firewall vendors are
integrating VPN technology into their firewall products. I wouldn't run
an NT firewall, but for those that would, you'd be able to get a VPN set
up that not only ran on NT, but that would be _much_ more secure than
PPTP.
* Checkpoint FW-1 runs on NT and has a VPN product for that.
* Gauntlet runs on NT and can run the RedCreek VPN.
* You can buy a VPN appliance where you don't care as much what OS it runs
on: Nortel makes one, ODS Networks have them, Lucent makes one,
CheckPoint has one, Data Fellows makes one, there's the aforementioned
Cisco VPN appliance, and so on...
There are many more. A simple web search will turn up *something* if you
look for 'windows nt vpn ipsec'! Also, the December 1999 issue of
Information Security magazine has about 6 pages of VPN products listed
(pp99-107).
"Free your mind" and you can find a secure alternative to PPTP on NT. If
you're running MS-PPTP, you're making a conscious choice. IMHO, you can't
responsibly say "Nobody gave me another viable alternative so I had to run
X even though it isn't secure". There are many more products out there
that will provide better assurance of security. You have to *want* to
find them or make the choice to not implement a flawed, risky VPN solution
until a viable solution comes along. Just don't say you don't have a
choice ;-)
-Jason
On Tue, 28 Dec 1999, D Clyde Williamson wrote:
> Date: Tue, 28 Dec 1999 10:25:49 -0500
> From: D Clyde Williamson <[EMAIL PROTECTED]>
> To: Brian Steele <[EMAIL PROTECTED]>,
> "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
> Subject: Re: MS PPTP (Safe?) - alternative?
>
> Brian Steele wrote:
> >
> > Good post. I'd like to add that any proposed replacement for PPTP be
> > NT-based - I am certainly not interested in installing another OS on my LAN
> > simply to provide VPN access, thereby substituting one potential security
> > problem for another.
> >
> > Brian Steele
>
>
> This reminds me of an old school janitor I knew. He always said "Duct
> Tape and Angle Iron will fix anything". He ment it as a joke.
>
> I fear that many NT "security" people feel the same way. They don't ask
> what the problem is before they pull out the duct tape, angle iron, and
> NT Server disk. This is a VERY BAD THING.
>
> A person that purposly limits their options, is doing a disservice to
> themselves and the company they work for. This is especialy bad when a
> "security" person needs a "security" solution, but only looks at a set
> of tools proven to be insecure. In this example, Microsoft has yet to
> sucessfully create an encryption algorithm, but we have people locking
> their options to one based in the Microsoft world.
>
> I'm not here to start a debate on MS vs. *NIX... the point I'm making is
> that I have yet to see a single OS provide every solution needed. Linux
> is great, I use it quite a bit... but not for everything. BSD is very
> good, I use it... bt not for everything, I even use *gulp* closed source
> OSes like Solaris from time to time.
>
> Brian, I'm not suggesting that you run to an Open Source solution... or
> a UNIX solution, for any security project. I'm not going to tell you all
> the reasons why NT is a Bad Idea for security. All I'm gonna say is that
> it's never wise to lock out options before you find a solution.
>
>
> As for options CISCO IPSEC VPN stuff can be had for $1100.00 or so...
> PGP VPN is also a nice solution, NAI sells the suite for a small fee
> (and you get all their other neat toys). I'm curious to know what
> firewall tools are used at the site since some of those have VPN options
> as well.
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
AT&T Wireless Services
IT Security
UNIX Security Operations Specialist
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
