Hi Brian, just a thought:
If you do go ahead and implement PPTP, there are alternatives to static
passwords that might overcome some of the documented holes/exploits
regarding the authentication procedure. Things like one-time passwords,
challenge-response tokens and time-synchronous tokens (ie. SecurID, S/KEY,
etc.) go a long way in securing not just PPTP, but other password-dependent
systems.
There is tremendous value in not having to touch the client desktop and
using what is already there (PPTP via DUN), but to properly secure it, some
administration setup will have to be done on the server-end, since NT RAS
lacks the ability to incorporate the aforementioned strong-authentication
mechanisms (ie. a Nortel Contivity box).
--
Gene Lee
[EMAIL PROTECTED]
[EMAIL PROTECTED]
-----Original Message-----
From: Brian Steele <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
Date: Wednesday, December 29, 1999 1:04 AM
Subject: Re: MS PPTP (Safe?) - alternative?
>Quoting myself...
>
>> > My point is, I am not interested in a security solution based on
another
>OS,
>> > if there is an equivalent one available for NT, the OS upon which my
LAN
>is
>> > standardized
>
>However, if there ISN'T an equivalent one available for NT (which isn't the
>case here), then it basically boils down to choosing to either implement a
>system with known security issues that you may or may not be comfortable
>with, or one that may provide a solution but also introduce unknown (to
you)
>issues to your network. Which one is worse?
>
>Ok, ok, ok - suppose I want to stick with PPTP to provide remote access to
>my LAN. In the case of PPTP, the "weak point" of the latest version is
>claimed to be the dependence of the encryption on the user's password.
Now,
>say for implementation of PPTP as a point of access to my LAN for a few
>"privileged" users, I create special accounts for them to use for this
>access, accounts with randomly-generated nn-character passwords that can't
>be changed by the users? On a Win95/98 client, the password only needs to
>be entered once, after which it's saved by the system in the password
>list(of course, this might be another security issue, but that's a whole
>other story!). To simplify things even further, the user could be provided
>with the password via a method that allows him to copy it and paste into
the
>login dialog box (e-mail, secure web site?). This could be a simple answer
>to this particular known weak point, and at the same time I've avoided the
>problems of introducing an unknown system on my LAN or onto the PCs trying
>to access it remotely.
>
>
>Brian Steele
>
>----- Original Message -----
>From: Ron DuFresne <[EMAIL PROTECTED]>
>To: Brian Steele <[EMAIL PROTECTED]>
>Cc: <[EMAIL PROTECTED]>
>Sent: Tuesday, 28 December, 1999 6:18 PM
>Subject: Re: MS PPTP (Safe?) - alternative?
>
>
>>
>> Brian,
>>
>> are you then saying you will implement a faulty setup <pptp> or just not
>> implement at all if it requires you to actually do additional work?
>>
>> Thanks,
>>
>> Ron DuFresne
>
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
>
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
