VPN recommendations?
Tom Buskey
tom at buskey.name
Mon Jul 2 08:50:18 EDT 2007
On 7/1/07, Bill McGonigle <bill at bfccomputing.com> wrote:
>
> On Jun 30, 2007, at 15:42, klussier at comcast.net wrote:
>
> > There is no data to the contrary. Bruce Shcneier and Dr. Mudge did
> > a cryptoanalysis a long time ago and pointed out several flaws in
> > PPTP: http://www.schneier.com/paper-pptpv2.html
I worked at a place with security setup by Mudge. It was very secure. SSH
everywhere. The sales guys had a batch file that would setup most of the
SSH stuff & modify lmhosts as needed.
Note that this is the second paper - addressing the changes since the
> totally broken first version. In this one they conclude that PPTP is
> only as strong as the password used and that people should get on
> with pre-shared key protocols like IPSEC.
>
> That's great advice unless you're on the phone with the salesguy in
> Boise who is trying to get online from a chair in the lobby of his
> roach motel attached to a Netgear wireless router on a DSL line that
> was billed as "free high-speed Internet". They (at least in many
> iterations, from this and other vendors) won't pass IPSEC properly,
> and may even limit outbound ports (OK, typically you have to stay at
> a fancier hotel to get your ports restricted). In that case, PPTP
> will usually work, and, of course, OpenVPN using HTTP on 443/tcp is
> bound to get through. Of the two, PPTP is the one that comes built-
> in, and because of its 'weakness', the only data you need to exchange
> is a password (which Bob probably already knows) so you're going to
> get back to dinner faster. I know, that's no way to run a secure
> shop - we should be sending guys out with solid-state machines and
> smartcards, preferably with a spare too, or just telling them to suck
> it up until they get back and stop clicking on every mail to come
> into their inbox.
There's always a trade off with security. Reducing it to a cost of breach
vs cost of lost access is one way to approach it.
In the environment I was in, you couldn't ping most devices and monitoring
software was had to deploy. Much of the monitoring tools didn't work across
a firewall and we had a few internally.
The cost was that if we got broken into, we were out of business as a
security consultant firm.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.gnhlug.org/mailman/private/gnhlug-discuss/attachments/20070702/37dadd33/attachment.html
More information about the gnhlug-discuss
mailing list