RE: PPTP versus L2TP and possible attacks
From: Zachary Mutrux (zmutrux_at_compumentor.org)
Date: 02/13/04
- Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: PPTP versus L2TP and possible attacks"
- In reply to: Patrick Power: "Re: PPTP versus L2TP and possible attacks"
- Next in thread: Laura A. Robinson: "RE: PPTP versus L2TP and possible attacks"
- Reply: Laura A. Robinson: "RE: PPTP versus L2TP and possible attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <focus-ms@securityfocus.com> Date: Fri, 13 Feb 2004 09:30:40 -0800
As a point of amplification, both L2TP and PPTP are tunneling protocols
without any inherent encryption built in.
In Microsoft's Windows 2K/2K3 implementation, L2TP uses IPSec for
encryption, and PPTP uses MPPE. IIRC, Microsoft's L2TP requires the use of
certificates for authentication and encryption, which means if you choose
that route you must set up a public key infrastructure. That means a little
more work, but also better security.
You might be interested in this paper by Bruce Schneier and Mudge, which
discusses some of the continuing problems with MS-CHAPv2 in conjunction with
MPPE.
http://www.schneier.com/paper-pptpv2.html
Microsoft offers other methods of authentication now in place of MS-CHAPv2,
so I'm not sure if the weaknesses Schneier and Mudge discuss are still as
much of an issue. But there is no question that IPSec based VPN are more
secure than those that use MPPE.
zm
- application/x-pkcs7-signature attachment: smime.p7s
- Previous message: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP]: "Re: PPTP versus L2TP and possible attacks"
- In reply to: Patrick Power: "Re: PPTP versus L2TP and possible attacks"
- Next in thread: Laura A. Robinson: "RE: PPTP versus L2TP and possible attacks"
- Reply: Laura A. Robinson: "RE: PPTP versus L2TP and possible attacks"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
