On Sun, 26 Nov 2000, Kenneth E. Lussier wrote:
> FreeS/WAN's strengths are that it 1) can use large keys 2) can use RSA
> authentication 3) is a stable IPSEC implimentation 4) Isn't all that hard
> to set up (*IF* you RTFM a few times ;-) ).
I have heard some rumbling that FreeS/WAN, while very promising, is not
quite ready for prime time, even in security critical areas. Anyone have any
comments on this? I have not played with FreeS/WAN yet, myself, and the
rumbling I have heard was just in public Internet discussion formus, so I
cannot exactly call it reliable. But it was enough to make me wonder.
Also: Anyone have experience connecting a Windows client with a dynamic IP
to a Linux-based FreeS/WAN host? Preferably with Open Source, or at least
free (gratis) or cheap, software?
> There is also PoPToP (http://www.moretonbay.com/vpn or
> http://poptop.lineo.com), which is a pptp implimentation for Linux
> (Without the M$ extensions and embracements).
Actually, PoPToP is designed specifically to *include* the MS extensions and
embracements. PPTP is largely a Microsoft protocol, anyway. :-(
> [PoPToP] can use 128-bit rc4 encryption (not all that great, but OK)
Ummm, I believe conventional wisdom says that with modern algorithms, session
encryption keys longer then 100 bits or so is just a waste of resources. In
fact, I just checked, and the FreeS/WAN website makes reference to this.
If, on the other hand, you are talking about *authentication* keys, well,
PPTP does not use PPKs for authentication at all. Which is where its real
weakness is (assuming you have disallowed the brain damage in MSCHAPv1).
Passwords are patheticly weak compared to even 128-bit authentication keys.
> It is a point-to-point connection rather than a tunneled connection (I
> don't *CARE* if they want to call it a tunneling protocol, it *ISN'T*)
Ummm... this is a rather petty semantic argument. I believe the "T" in PPTP
refers to the generic concept of creating a "secure tunnel" over an insecure
network. Just because you are not always going to be running
IP-over-PPP-over-TCP-over-IP does not make that invalid. People talk of
"tunneling" application-level services over SSH all the time in the same way.
> With all of this having been said (twice now), I have one more suggestion.
> Don't use your firewall as a VPN box.
While this is good advice for many, if not most, cases, it is worth making
the point that simply moving the VPN to another box is not a panacea. You
still have to punch a hole through the firewall to the VPN host, and if the
VPN host is compromised though that channel, the game is largely up.
There is a far too common attitude that simply by placing things behind a
firewall, you are secure. That is bogus. Most exploits are made possible by
bugs or mis-configurations in network software. You must want to use at least
*some* of that software, or you would not be using a firewall (you just
wouldn't connect to the Internet in the first place). Such bugs can be
exploited just as well through a firewall.
Which is not to say that this makes Kenny's advise invalid; it doesn't.
Just remember that there are no easy solutions to any security problem.
--
Ben Scott <[EMAIL PROTECTED]>
Net Technologies, Inc. <http://www.ntisys.com>
Voice: (800)905-3049 x18 Fax: (978)499-7839
**********************************************************
To unsubscribe from this list, send mail to
[EMAIL PROTECTED] with the following text in the
*body* (*not* the subject line) of the letter:
unsubscribe gnhlug
**********************************************************
