A) PPTP using MS-CHAP v2 has one one major vulnerability. It is susceptible to a man-in-the-middle attack and the challenge-response is encrypted with the user's password. If the user's password is in the attacker's dictionary they can determine what it is quickly. However a truly strong password is not very susceptible to this attack. Read the details in Bruce Schneier's analaysis at:
http://www.schneier.com/pptp.html B) We plan to eliminate use of PPTP eventually but we're not in a big hurry to do so and will probably support it as long as there are common devices that don't easily (e.g. For free) support IPSEC. C) IPSEC has it's strengths, but authentication is not one of them. Now that IKE v2 is done incorporating EAP we should see clients with less vulnerabile authentication. Tom Zeller Indiana University [EMAIL PROTECTED] 812-855-6214 On 2/20/06 11:50 AM, "Lee Badman" <[EMAIL PROTECTED]> wrote: > Another question from the VPN angle... > > Curious how others view PPTP these days as a "viable" security mechanism for > bothe remote access VPN and in wireless environments. Not strong enough? Too > easily exploited? Good enough for wireless but not remote access? Moving > toward or away from PPTP? > > Thanks- this group is a wonderful resource. > > Lee > > Lee H. Badman > Network Engineer > CWSP, CWNA (CWNP011288) > Computing and Media Services (NSS) > 250 Machinery Hall > Syracuse University > Syracuse, NY 13244 > (315) 443-3003 Voice > (315) 443-1621 Fax > > ********** > Participation and subscription information for this EDUCAUSE Constituent Group > discussion list can be found at http://www.educause.edu/groups/. ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
