Re: PPTP versus L2TP and possible attacks

From: Patrick Power (ppower_at_registrypro.pro)
Date: 02/12/04

  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: PPTP versus L2TP and possible attacks" 
    Date: Thu, 12 Feb 2004 16:30:40 -0500
To: "Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]" <sbradcpa@pacbell.net>

    Quite a while. On doing more research just now, I find that a collection
    of Microsoft patches and a protocol rewrite have solved most of the
    issues. My apologies, I should have done more homework before I posted
    some dis-information.

    Here's a nice reference:
    http://www.schneier.com/pptp.html

    For historical interest, here is a summary of the older research that I
    read back when PPTP was still severely broken:
    http://www.schneier.com/pptp-faq.html

    -Patrick

    Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] wrote:

    > And when was the last time you read that?
    >
    > Watch the security week webcast with Jesper Johannson
    > www.microsoft.com/webcasts and he talks about the truth/hype of PPtP.
    >
    > Patrick Power wrote:
    >
    >> Actually L2TP is only a tunneling protocol. Is does not include any
    >> encryption. L2TP makes a "virtual network" just not a "virtual private
    >> network". L2TP is primarily used by Microsoft in conjunction with
    >> Point-to-point IPSec, where IPSec provides the encrytpion part of it.
    >>
    >> PPTP is a complete VPN on it's own. However, the last I read about it,
    >> there were some pretty significant flaws in the design of the PPTP
    >> protocal (not just bugs in implementation, but actually protocol
    >> design flaws I believe) which made PPTP relatively easy to crack.
    >> IPSec on the other hand has not has any such flaws yet discovered, and
    >> is *widely* considered a very secure solution.
    >>
    >> -Patrick
    >>
    >>
    >> James D. Stallard wrote:
    >>
    >>> Hi
    >>>
    >>> I have recently deployed a VPN Server using Microsoft RRAS. RRS is the
    >>> preferred technology because there are few anticipated users and the
    >>> software is free :)
    >>>
    >>> The VPN Server sits behind the corporate firewall and operates fine,
    >>> accepting incoming connections reliably.
    >>>
    >>> I am rather new to the VPN game (I usually design Active Directory
    >>> infrastructures) and set up both L2TP and PPTP protocols for convenience
    >>> sake while the client pilots the solution. My questions are therefore:
    >>>
    >>> 1. Which is the better tunnelling protocol in terms of security and
    >>> functionality, L2TP or PPTP, and why?
    >>>
    >>> 2. Is the community aware of any exploits that could be levelled
    >>> against the
    >>> firewall with the following ports opened to support VPNs?
    >>>
    >>> L2TP requires: Protocol 50, UDP 4500, UDP 500
    >>> PPTP requires: Protocol 47, TCP 1723
    >>>
    >>> 3. Anything else I should know?
    >>>
    >>> All advice is appreciated
    >>>
    >>> Thanks in advance
    >>> Regards
    >>>
    >>> James D. Stallard
    >>>
    >>>
    >>>
    >>> ---------------------------------------------------------------------------
    >>>
    >>> Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
    >>>
    >>> Protect your network with the comprehensive security solution that
    >>> integrates six applications for ease of use and lower TCO.
    >>>
    >>> Firewall - Virus protection - Spam protection - URL blocking - VPN -
    >>> Wireless security.
    >>>
    >>> Download 30-day evaluation at:
    >>> http://www.astaro.com/php/contact/securityfocus.php
    >>> ---------------------------------------------------------------------------
    >>>
    >>>
    >>>
    >>
    > 

    -- 
Patrick Power
Systems Engineer
RegistryPro, Inc.
+1-212-798-9113
ppower@registrypro.pro
---------------------------------------------------------------------------
Free trial: Astaro Security Linux -- firewall with Spam/Virus Protection
Protect your network with the comprehensive security solution that 
integrates six applications for ease of use and lower TCO.
Firewall - Virus protection - Spam protection - URL blocking - VPN 
- Wireless security.
Download 30-day evaluation at:
http://www.astaro.com/php/contact/securityfocus.php
---------------------------------------------------------------------------
  • Next message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: PPTP versus L2TP and possible attacks"

    Relevant Pages

    • Re: PPTP versus L2TP and possible attacks
      ... Watch the security week webcast with Jesper Johannson ... www.microsoft.com/webcasts and he talks about the truth/hype of PPtP. ... > protocal (not just bugs in implementation, but actually protocol ... >> I have recently deployed a VPN Server using Microsoft RRAS. ...
      (Focus-Microsoft)
    • PPTP versus L2TP and possible attacks
      ... I have recently deployed a VPN Server using Microsoft RRAS. ... functionality, L2TP or PPTP, and why? ... PPTP requires: Protocol 47, TCP 1723 ... Astaro Security Linux -- firewall with Spam/Virus Protection ...
      (Focus-Microsoft)
    • RE: VPN connection not passing the password auth stage.
      ... The Generic Route Encapsulation protocol is used ... One thing I want to clarify is that GRE protocol is based on Internet ... We can also use PPTP Ping utility to determine whether any hardware router ... This newsgroup only focuses on SBS technical issues. ...
      (microsoft.public.windows.server.sbs)
    • Re: Protocol Analysis
      ... Subject: Protocol Analysis ... Concerned about Web Application Security? ... testing and vulnerability management needs. ... most comprehensive solutions to meet your application security penetration ...
      (Pen-Test)
    • [fw-wiz] UNSUBSCRIBE
      ... (Paul D. Robertson) ... > fixup protocol icmp error ... >> isn't about the security properties of the control, ... errors in the firewall, configuration errors, and it then takes physical ...
      (Firewall-Wizards)