Gary Maltzen wrote:
>
> Would a PPTP VPN to accomplish this?
>
> This would require a single pair of holes in the wall,
> one for 1723/tcp to support connection setup
> one for gre protocol to support connection data
It would probably accomplish "something"; the question is:
would it accomplish what we want it to accomplish?
We want users on the move to be able to connect to the
web e-mail interface, and secure that in some fashion.
There are a couple of issues that need to be adressed
here.
1) PPTP security is not as good as SSL security.
See http://www.counterpane.com/pptp.html
2) It's an administrative headache to setup PPTP tunnels
on every roaming machine. SSL is easier to handle AND
more secure.
3) Anything can be tunneled over PPTP. ANYTHING.
If we use SSL, we can be sure that it's https, but
if we want to be able to check PPTP, we'd need TWO
firewalls, one that passes PPTP to the VPN endpoint
server, and one behind that to allow only HTTP.
Yuck.
4) If we want our road warriors to be able to connect
from "any" PC (other people's equipment for instance),
we'd have to teach the lusers how to install PPTP. Let
alone worrying about getting permission to screw up
people's computers.
In short: PPTP is not an alternative here.
(IMHO, PPTP is NEVER an alternative since it's plain broken.
You simply do NOT, EVER, use passwords as encryptions keys.
Argh. Screwed up protocol.)
If you want VPN tunnels, go with IPsec. Or if that doesn't
work, you can always do PPP over SSH if you have the equipment
for it (NT machines won't quite cut it here I'm afraid, atleast
not without LOTS of third party software and tweaking).
/Mike
--
Mikael Olsson, EnterNet Sweden AB, Box 393, S-891 28 �RNSK�LDSVIK
Phone: +46 (0)660 29 92 00 Direct: +46 (0)660 29 92 05
Mobile: +46 (0)70 66 77 636 Fax: +46 (0)660 122 50
WWW: http://www.enternet.se/ E-mail: [EMAIL PROTECTED]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
