On Tue, 8 May 2001, Eric Johnson wrote:
> Our outside network expert thinks that Microsoft's PPTP is
There are certainly a number of arguments supporting that assertion.
> extraordinarily insecure. Yet, he uses VNC extensively to monitor
> systems. I found out today that he has installed it on at least one
> of our computers.
That's not a directly comparable product (remote access vs. remote node is
a fiarly lengthly argument, but I think you'll find remote node falling
on the bad side of that equation.)
> I tried VNC a couple of years ago and concluded that it did not
> seem secure enough to use and so I haven't done anything with it
> since then.
It's recommended (by AT&T Research UK) that people running VNC tunnel it
over either SSH or SSL. The initial authentication is challenge/response,
but everything subsequent is just in-the-clear.
> I'm not saying that PPTP is safe, but that the vulnerabilities are
> fairly limited as far as I can tell and that to me, it certainly appears
> safer (and more useful) than VNC.
Safer? While it depends a lot on deployment, I wouldn't go with safer as
a rule of thumb, it's historically been broken and it allows remote node
access to the network, which brings along a great deal of baggage. that a
remote display type product doesn't have. Remote node products enable
entire classes of generic attack that remote display products would
generally need a targeted attack to compare to and probably malicious code
exectuted at both ends. "More useful" generally means "Less secure."
> Does anyone know the relative safety of VNC and PPTP? Or is
> there any way to adequately compare them?
It's an apples and kumquats comparison. Personally I'd allow
strongly authenticated VNC over SSH well before I'd allow PPTP, but I've
never been overly enamoured with either solution. If I had to choose
between non-encrypted VNC and PPTP, I'd pick neither one and go on happily
with life feeling much more secure.
You're kind of trying to pick between "horible disaster" and "attrocious
disaster" here- while it may be possible to reduce the risk in PPTP to a
manageable level, it's certainly not trivial, and there still seem to be
quesitons with the latest version of the protocol, let alone the
implementation.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
[EMAIL PROTECTED] which may have no basis whatsoever in fact."
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
