VPN recommendations?

[Bill McGonigle]

On Jun 30, 2007, at 15:42, klussier at comcast.net wrote:

> There is no data to the contrary. Bruce Shcneier and Dr. Mudge did  
> a cryptoanalysis a long time ago and pointed out several flaws in  
> PPTP: http://www.schneier.com/paper-pptpv2.html

Note that this is the second paper - addressing the changes since the  
totally broken first version.  In this one they conclude that PPTP is  
only as strong as the password used and that people should get on  
with pre-shared key protocols like IPSEC.

That's great advice unless you're on the phone with the salesguy in  
Boise who is trying to get online from a chair in the lobby of his  
roach motel attached to a Netgear wireless router on a DSL line that  
was billed as "free high-speed Internet".  They (at least in many  
iterations, from this and other vendors) won't pass IPSEC properly,  
and may even limit outbound ports (OK, typically you have to stay at  
a fancier hotel to get your ports restricted).  In that case, PPTP  
will usually work, and, of course, OpenVPN using HTTP on 443/tcp is  
bound to get through.  Of the two, PPTP is the one that comes built- 
in, and because of its 'weakness', the only data you need to exchange  
is a password (which Bob probably already knows) so you're going to  
get back to dinner faster.  I know, that's no way to run a secure  
shop - we should be sending guys out with solid-state machines and  
smartcards, preferably with a spare too, or just telling them to suck  
it up until they get back and stop clicking on every mail to come  
into their inbox.

-Bill

-----
Bill McGonigle, Owner           Work: 603.448.4440
BFC Computing, LLC              Home: 603.448.1668
bill at bfccomputing.com           Cell: 603.252.2606
http://www.bfccomputing.com/    Page: 603.442.1833
Blog: http://blog.bfccomputing.com/
VCard: http://bfccomputing.com/vcard/bill.vcf