[Skip to the bottom for the Reader's Digest version] Well...um. Go read Schneier and l0pht on PPTP - AFAIK it's the best (only) independant cryptographic review of PPTPv2. You can get there from www.l0pht.com To summarise, from memory, there are some major problems. The paper goes a little overboard into black-helicopter territory, but the actual cryptanalysis is real and checkable. If you don't want to dig up the paper and are happy to trust my dodgy memory, the major problems are: MS-CHAPv2 sucks a bit - a patient attacker with the ability to sniff your link can feasibly break it. This means that they can easily recover your MPPE keys (the keys that are actually used to encrypt your data). The MPPE keys are based on user passwords. This reduces the "entropy" (randomness)of the keys. I guess. It looks to me like this depends on if you trust SHA to be a cryptographically secure hash. However, it's certainly going to be vulnerable to a password guessing attack. The export version (teeny 40 bit keys) is even worse than it looks. A known plaintext attack makes it about as effective as, say, eakingspay ikelay isthay. In other words, PPTP is really no more than obfuscation, if you're dealing with data that people could be bothered to try and intercept / crack. The endpoints have been firmed up a fair bit, but there are still potential attacks against them. If it were me, I would recommend that the PPTP endpoints live in a DMZ. I'm not convinced about the risks of allowing GRE into your network. As for the possibility of someone tunneling data - that's what it's designed for. ;) [Condensed Version] PPTP crypto sucks a fair bit. Don't use it if you think that there's a chance of anyone with a clue caring about your data. There is probably a slight risk of PPTP introducing security problems, but I've not seen any attacks against the PPTP endpoints themselves that strong passwords won't fix. This does NOT mean that such attacks don't exist. Use a stronger VPN solution if you can afford it and you care. -- Ben Nagy Network Consultant, CPM&S Group of Companies PGP Key ID: 0x1A86E304 Mobile: +61 414 411 520 > -----Original Message----- > From: Mike Barkett [mailto:mbarkettat_private] > Sent: Friday, 4 February 2000 11:34 AM > To: O'Dell Mike > Cc: 'owner-firewall-wizardsat_private' > Subject: Re: PPTP risks? > > > PPTP is a bidirectional protocol, and as such, it requires > that you allow > return packets back through the firewall. This also means you have to > have a static NAT in place for the client machine. > > The risks involved in this are all the normal risks involved > in allowing > an entire IP type (GRE) through the firewall from the outside... I > suppose someone could fairly easily engineer a tunneling > exploit for this, > but PPTP really poses more :annoyances: than risks. > > -MAB > > -- > ,......................................... > : Michael A. Barkett > : Senior Staff Engineer IV, SMC (x6363) > : mbarkettat_private > : 301.847.7180 ,.................... > : FW./\/. : i n t e r m e d i a > '....................' BUSINESS INTERNET > > > > > On Thu, 3 Feb 2000, O'Dell Mike wrote: > > OM>Date: Thu, 3 Feb 2000 07:27:57 -0800 > OM>From: O'Dell Mike <modellat_private> > OM>To: "'owner-firewall-wizardsat_private'" > OM> <owner-firewall-wizardsat_private> > OM>Subject: PPTP risks? > OM> > OM>Can someone explain what sort of risk is involved in > allowing PPTP sessions > OM>to be initiated from within out firewall, if any? > OM> > OM>Thanks, > OM> > OM>> Mike > OM> >
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:02:16 PDT