|
|
|
Can PPTP Really Go It Alone?
By: Peter Coffee
2003-09-01
Article Rating: / 0
There are 0 user comments on this Enterprise Networking story.
Stronger security of IPSec-based VPNs worth cost.Regardless of any other network management strengths that a virtual private network may offer, any VPN is fundamentally an encryption-based aid to network security.
The entire case for any VPN is the belief that encrypting data makes it safe to send across a public network and that, furthermore, the security thus gained is worth the associated costs in bandwidth and processing—not to mention the additional costs of VPN products, services and administration. If the encryption protocol used by a VPN installation is unsound—or weakly implemented or carelessly administered with lax key management or other common errors—the exercise can be a waste of time and money.
During the Aug. 19 Ziff Davis Media Inc. Webcast eSeminar on VPN challenges, several attendees asked point-blank questions about the justification for the higher cost of a robust VPN based on IPSec (IP Security) or SSL (Secure Sockets Layer), compared with the lighter-weight PPTP (Point-to-Point Tunneling Protocol) thats supported in a wider range of Windows and that enables a greater number of connections for the same amount of server processing power.
There were serious flaws in Microsoft Corp.s initial implementation of PPTP, including a shortcut to automatic cracking by tools such as L0phtCrack from @Stake Inc., of Cambridge, Mass. (More information is at www.atstake.com/research/lc.)
Microsofts current PPTP version, using Microsoft Challenge/Reply Handshake Protocol Version 2, or MS-CHAPv2, addressed this vulnerability and added server authentication to prevent masquerade attacks by rogue servers.
Microsoft officials are quick to acknowledge, however, that PPTP merely encapsulates data, failing to address other key concerns of mission-critical network administration. For example, PPTP does not have the necessary tools for preventing a "replay attack," in which an attacker monitors the communications stream and sends previously intercepted traffic to pose as a legitimate participant.
Protocols such as IPSec, in contrast, provide mechanisms to detect the packet sequence disruptions that betray this tactic.
PPTP also has the weakness of relying on passwords, which are often chosen poorly or protected inadequately by their users. IPSec and SSL rely on cryptographic certificates or algorithms that typically provide a stronger form of encryption, but many implementations use certificates associated with machines rather than users.
The user who leaves a machine logged in thats physically accessible to others, or the user who enables automatic log-in features on either kind of VPN, makes the security of the network only as good as the physical security that protects the users office—or, worse still, the users portable device.
System builders must appreciate that in the domain of security, every convenience comes at a price. SSL-based VPNs accommodate the heterogeneity of Web clients to offer service to a wide range of users and devices, but that tolerance of differences also creates possible security loopholes (for example, the risk of automatic fallback to an easily cracked 40-bit key if a user logs in with an outdated browser).
IPSec clients are less tolerant. Server-side attacks on SSL-based VPNs might succeed if users are too casual in dismissing warnings about possibly bogus security certificates, potentially enabling man-in-the-middle attacks. IPSec clients leave less to the users discretion.
Anyone considering VPN alternatives must look at all of the implications—practical, as well as theoretical—of each offered choice.
Technology Editor Peter Coffee can be reached at peter_coffee @ziffdavis.com.
|
|
�������x}ks6*�Q3{L[H)ْg-�n�EB�c䒔�?q
/I%?�A4ЍFh|CgowD�0�9wE1>=zk;HR{oo��L#
@&gPUP
D廚�f�w2gvS;^
�> \?g#Q;Y|�%x�_'Щ=ѩ6dNvB�{Gd�#B�=..Q^�Z!X~�4�
^Nૌ=auh� /�B1r!bL{y74�ɿ�TSŝ��L=iTV@�V;&U)f;ı�w8r�t�uur<�ZBJ�53��4I��& پ�thsqHf��z�K.V8ac6�9�} �Tw<-0�;D=:m�/�EY[~Si QIV�ZS4�Ei�ΝoĩqFoyxRIQË� �?
n<4�h;ɠm5ʥ&�yj0�S3�^�wD��իe`ZG$�_�s�::{Bh�,?>G�F(j+|!Ҭ4%tT*+.#=-bv=ӧ0�_8Df9G]һ�.��N>�_{>_ekfy�3z�PCf(U`W:�)㭩S>^?_s\/!9�\nS7DV,=B��j�`Bm�iuZʟZ�`Kk'\ď�R�&�ںa#5�զ�~Df;8�}y�.?�OHA,wG]�3�`lDmYܻ(BREǛɣ+�aXY|D͢���4��o�L�ߎA�@w[�.�@0[�:6M6kiN5��f�!`A�`usi
'@ki��Fk�PY��\`k6�R\� 9lb��)6B̄H )f7%r M
XR��*�}(%嗋�m|*(If([�/3 �BD?CC���0&pJjv7WpW�}znN73Wj{��oU#L+
.�ϱg^g%p{a}�8J�j�p�X.B2iKB0pԶ7�KZ36���R7+
TTrKX�QnŹl�2X��jXvR7T[ZAQ�bA�:�~��>_P\.Z�Ͷ�OCGs�>hH2胆6ml�-�3I��Xn`���h_a;Nh1[7 <]Z
K pA}x��껭B &z4H۠h&r<�kIlLJ.?6Y� [
G`p��&[�xk�=`D�wM'Db)L���TE}�vAC-AX�z��][�
�X.{s�6GT[LK�x�GN w
(~9-7R��+C0tWtL=JIY��"D%� T
h��4�A�ǰ�E�EN�m�_ILH�XVVpp�Vݞ�H:sfXV�s㙰ZI٣XB�Y�X/_��23CCɴ��X�9�{DM�f�T`B[LKa�k Sn-`oV*QԬ5�Mz�zөy@�== 3Ҵ�ҁ%�Llat50O�iH\U�}ɲK�0s��gs2�4ğNP$CǺ������35{00�q}@����dҬiK�ӆ�$rTDh���L˄r�6:eRHk0k�8
�cy�s343'p6?>{@OM\n��b8$iy>grGֶL/%�@W|�z[.z:
%�r%�
5kb�$T`CL
�_q^i;[@�\gK{�fɪ(U3�%fcP�o׆u�j@_�&��9&ۚ8ª83E�Q]ZKY$"!�t��syðB�/0<�MΆТ3i1*cc�9���|Ւ\Ve��}d29<:5%T'fڹaK �l� �J;4
H�` :WbbˡB2\NNaN��}9�tNY�z�l2:�'�,��aфː�;w�]
c7,��Vh8)JjCMlbs(zq�X0b=I{p�9pJ��aᚚ:��@H3gs:'UG8`
;DF�Sh2��F�,éiH5ߴ��FʫU�f-03H8�֪JYUc?$i?怚H|A���2,e,�re9wA�ٜ�$�F.z*97e�4p�u�\��!ũ-BrMad94l^b07Z3Xh�;�pY;~&��6Ckd�D��˦{ǙYT+�[pn�Lqb
֚΄��O5O3_c��Ӏ�ap:�pȐE&@|Z�48��
yM| *�OF�1�-[
(�:T�#;$��t�W\ހĒ��,C!�PÍ{c�?4�]u�Yb�2A@{BҨ7F=&89J5U֏*j^9
�䎾_2�:Ew�H�_㬯=q�,sQqM1/~VczMxh�>������|tqZ��c�"O`��)';@|�e͉<]I`/WbҧJǦ8D�ĺ3�o`!TՖῦ
�vOQ�� g�: �C\4 <�}g�s�(z`0$6et�
0e=Q]5�Ԉ@|��0+�nC�/=��ꗦK�$�?'
l[%}X-��*fֲm�Pm^مH��B���dB�tݡk�;J8Kb(w���R3c�rF|ْ�m!yUq@WIe�&�24ڭZd''W6>K}&=nf{mxorF�+�)�3��4WJ�3[; ɵ#u2镍1:��M}VD�QWKj�_W��1F)��|փ�3Kle%L�
l�j��=O e�ꚠGqS�VKW�Um{*|�&:vL1v]0\]>w6E, H��k�Ŏr�۬Y=(RP^�c�0:+�h05Җ
�@VGl䄇%b�
"9&K8.h#2"n�-!�?�#x�X��Gwi�ŏj(
rUް7D~�=ղ,W@'W�%UHUu$�~�U��r1K�71e3X&(%\8 ,^��۹.6�"0�טޒsb=�
�l�
e|,���M���d3��L8FXDWv\{e"�;Z\c/f&#ẉ1114/x~q`�z}_j(o��P�$�/I4�C2��:;_tMc�/ax�mҤ^+u;pH%U{:�IC?{kq Ou,�}Y_t{8$#�_
>^ty}��Gye8dB�eIw$(��X̐��4qߵ s_'^
/KW�6|v;�A��2ߋO"�V9�Fs�s!}28�\hGѓ� G�R h�FH^*<�1)MF2�t0S�t_��6Q"B�@I�+,�;�>B3HBp���&�e9=6T+,k�Z\�f|C!2z.x�(G��@�RPOh
ۤ#Yst*93Ğ
:#Lg��!�l�:Ua2"W(BSil'u�3x�:)�
5;+E_髒��F{�}+i�
T
�t6~hOWk0w1Gg
2n����c~wbSP?�Gzr�0y!DN�Í7����E��zWׇdn��#N M5�W"v=O[�?�
�cj9wa�(T�aɔ�$�zaeۺfIlx`�RI锐']�8�z>RB'K�˓$/IYO)Uq��JKBK�
39�uEVHG�o�dxٹ؞m ybXýK3BJ$�0:r:kv�85(Qs�N�H��qJiI�g|)EY-V
ɏ��~x"��R̅)�Oу��x��9$�jX)gTͺv����= }[/Cy=uڸ�%6l�Q�}y�:b1�ߠPapϲTta_|�c|;�F�'5�]{ @fd q;�f=;0�蹳��=�`�}dž-{oC�Ђ_$"BZē�|s\�J-fXe@�g,4F�?; ��霍zWsy�09J j�BGHb9}ÿ§G�� �[s�W\�g䢉+aRV{5Kdؗ{vO+r<�]1h�gfGlL�3I")jX�DWdU)I�CY)E)?8���bz`@L6CGځ;�-�3(.mm3{zi
8_2{K�7kx=W"Fȏ'[L��wuq@%J�{gUQJ7=�*q�@k%Y*qQ�)"{�"F%�t`�
/Cu�Uf��mq5O[�xcN �yi�襞��?7�w�Bf\ A�VѧA'�Qͳ��u$�s*U,@N~�"Tyt�ҳipB!,)iԊZU~a!V�7z�GʼnY?_!�QW�PB�K��ok��EF.ੇ�jq��~6�#5AL;ϔz.�6��.;�RשOVQ=!a�@�@�)8 we)MD:�;-�]�`Ao|/9;ŷ~YxH^_UV8
�MLLj[*
>^�bA
+N|�*�!x��);ٌY�8��nhK�,O��5L,�s)'0�$fhL&ҧ�)<(}bb4��A����$�ėT[a�!Z;|'vHJYRK۲C�� =#oO=
�$�� �gH�_�`"% cd$,Da
xf�s,كL�@$>a@xM�H�$AxG_=^
ь=݉jRlTy)6b1SKo常��tyerϥvC}c;���G߄tx =VJJIa�$J�*aP<�D@"5��IDi?��Y})+�3���m�qL&1�_Z6�-��ĬcR6J��P���V�F}dx'�2D ;
;WyM:&յyjJ�'Ĺ��Dž�Ps�Y[Vצtj�����AXiEXے!
8�/9UIQw6/z$LM7(�{��KaF�F��ن�HKxP5o�3�}$M8/B�BJ=:}kd1*K�X)?2gA$#;;;;ޝ,7+ɱ| ֞�W&KK$ǿb�\Q �HXM�d���P=5gPl?Ɩ[ze/8�w/Nt SҢ@xď4�сq./!�BRX�dG�$=7sgQcF�� �ou{W3��<̼ח�,$-%�h�K+Mch3v��E� $/{^l+�l@O��"f��ovo+L�;0��r/lt��yIxvR�/H)[v���KX�S/zڨ˦�`�Y�rԗD5R|W ɿ28P|뜌vGt"��E̤UyB+t?@=a!d;tL%Ij�~(m[Tx{�ŷi�3L`��as&^�ejŕB=m�rr77w-ű3.e-£EV@9(5����Ro|֊�[N/BӪ=W ��<`%��\k9���3ʧ!i3O��I}fx|X$Oo
O�/
:ä="La휰�ߢ��?'(op76bmJąd�?�߾.R!ߙ����ZI?I81OXo�D2E����N�~%Jt��U�;@�m'�Hf|')Jaw%Ƕ1٧6}1�mM[}kp�BU�P�:)q�CvJ
rหذf�r,z�o{�2)9E(�N*9m�ԘA#샒�=�%h�M!,qK)Ds�!3�:mlx&ޜ� �Z0_�1vH!'p.$XDPa��q��K��IҲ��OBZk�6WqN"F,dѴÛB.cbJS,OQ/+�]ZX:~WeL<^^AF֊ws3
i��o䍦"�r*ނ0H�uP�bV UP+$h%^rHћk[46Ƿb�3#�m@�f/=q,v[kݺX;̈́�|�W@O[j�,?�չH[�O,;ٴ+�q�ydE�8av���cI\3q'R\�V�#x'��lSaZ� �~�
�)�s��R*1̶rr�?GRUkƑ�:�Ƃ�_#R/5**��Y���)0ܜ�+.�ғnWbG0VKr¼y���t֛I1%6#�CJdI>HP-$�fzϵ�CE8Q�"��pr�|w\K17[
w#k)>86bJ|xI�$0�ט]ګjL_z��>d9��DbW�D
]%F�j5Ւ�g)6AP��ׯ0Oļ^sno0�؞`l.,9++xfVVUmmqVخ�NS�c�f�@>hf�MP�x�:�Х���/H𗲨Bȿ�9�j�VܞVk#Džc�d�K..�zyZ"F6#ZOi�J|)�:J=F(<�1_+@zL�BYiv'
.''��[�o/?VHv_j(o�[_�Y�1_E�_�t q֢�9��o25�+�
SxC�7)+�Z%=̓h|q�ـ�j3El�e:td�>�6ȭ�="&s'Mُp�KS�;"Θ�oX�{+$ɽO��g-�KA��{�/'\oY��r2H�jqC9҂%[럮.JS)cA$u"���:,�lZi�h�IED#Thb��GA#ɹ�j8dMN{nBE<
,i
�
�5"���L,�n#B��spb&�S57L[lFLN;�PPbA)K�'4_21Fnŷa(�l�;b21SbH~�98K�$��q��DN:.Ju��E�t�03�W���
}�n
Q&@Ĕ�v767p>9�[Z�fA�� �Lma`t��.t�-ܣu7]��]L�A�f�pRt\j��:r�tԪ+ʁ��|{���`�>�c7I��[7��ΥiEQy|L�
]ǒ�4�B1hYLR�MO�u;7u_F`�p���3�W�V�j]OBӱRs]��j5q]<>;AuU�Cq VH+�^@0UJ�2eg44\�@%��$͈u41Xv39�\�99�.qlpg
}��HGݩ;ǃE1S��|j5<66�ideAN/:=f,)�B=\h���,�^;KKvE 3Bcqu�^ Lũ�O?:{R(/�bI@^zuw��&6yBN{��KԊr�ϏПgg:^?.9q�Χ��A3�^Z�+�!z*9imn8~�(�hO�uɈ�.zvhRZ�YNOPSNPsN�_etS;9�(�#˻@n/�OO>9y��cv~]�nN9?/rʡ4,�g�,�>v9�s?�y9=��?�{'sg+�ɠ\W�KM0TntE-K�/Y{�ʹ2
Ǹzuv�^_C�
JM$X2oM*!#(����^>&c����˼$=)>w�滤I��xʹ]!&JR/-cENF9.~QJxdJ$d33,F�D5��"X��|8�NtW$1W ^-}�cLS��+J��=��"%��wm[/�^/�ydVVՍ/#B
AfПb
9I?&OxVf}�4;(��ai3Q*�5ýEy�R��80׀�z��O3m/�C/���->��كk һ蜍/;{졽\쓥=�-}.o.DB�$p� G�7_`�5a/�x�I]c�v~k��-/I��{4�"qf`iXE-Rp�V)*j�~z^+�}'�B`8 ".�eD-ɪ"+
W9 ط��TSJ�`"�
^�x|D��emҫ&�Q*rC�jx{I��2hCX�;l͘ʹ�1rK�u¿�z:m�ԙ`,K�~�f)g���SXt�MݢI�gگM Hx��>}r �1-�X"LiA֝�D#�Z#"9�Ń&aѱ(�C{XnD823tw^f$j�Akx.,zE+(䝩Jp}tA>H_,m�gqlC�71nnܙexkd��"�d`lB»c5��1j
Uлx^�B��.;$m�c?5mi.;"4�n�����3^��.�xN��l��|0�DeQO,|.�G㿄&�K�0�|F�``?94Ǟ"0Հħ�%N@1W]e
�A_e|bOh�6^�GsV.�:vGM�h�^w<��"s
H�a-Xm)hпd,3�u玍�'�]Ӹ�K'� CįD�?&. (Tfz� 6�)ϐ�R1m�A'R(�~))᠃xfA߭u�d&gg4�b
Fy&b3@p�+Q$�Ly�Ew��7N_e%�\"d⮾�3@F�D0�"����aZ8DR�*Ĥ&f
,��� ~93=�(@P�7�9���B<�ok3��+ot#(:�oTV@8]N,ӟo�~VI�
�&`�w{|iW��1ZpC6)�tO�E㫰���BNt3B7o^��z%�3d�?�(ڴ�F#,ci
m<�P� (c.vf]�nAQzְs®54-g��v�ѹ�Y�߹�%A]e�S�!)��v$п�{0�|>,�l�p/>c�wOq
0tcrW<-�ɤ{#̅2 !γYx[k�0J1+I_cQd+8*)�ؐ�W����k`$bOP��1,&�,�oF['T�S*�4.v>ϭ?\:?p�Ϣq9q�e#٬ITw|pح~{ej�x�ٚջHDR#.&i��A�C�Xq�k @c,̈́6;��]L
il$j},1&.� w A�ixUv�X���`*F"e,Z*bJ�؉ZqpR!C79I�}�˦"'N܌aB~c�r��iL%'����8
g�0T^ZpTT��/>%hw2bo�_��(,�}E.t}.Sq�k�>֮+7�By:�IC�RI>Ql��vCx(1�']e(FRq�O\|0:P|28�\`gbi
/=j+/Z(K��- K`�� {n>"^ճ/�
.A|ѾĀy6�=x�L�
�M4ZjV'I#;on[�b$-�U.IS4[]iv[W셳Qb)l٦dLTi2�9F{) q-/EiQm!'
#faa#nǝl| �n%96J]^�[�
P�@j<(��
|
Enterprise Networking 
