[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall Mailing List <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] PPTP vs IPSEC?
 Date:  Fri, 22 Jul 2005 11:37:43 -0400
On 7/22/05, Paul Dugas <paul at dugas dot cc> wrote:
> Looking for opinions here.  Just how evil is PPTP compared to IPSEC for
> remote access to the LAN.  I just enabled it on a test box and had a WinXP
> client logged in within a matter of minutes.  IPSEC's need for a separate
> client on WinXP seems like a hassle.  Is it worth it?

Not to mention the current IPsec implementation in m0n0wall is next to
useless for mobile users because it lacks support for critical things
like NAT-T.

PPTP has gotten a bad name because of Bruce Schneier's 1998 findings
of several serious problems in Microsoft's implementation of the
protocol (*not* the protocol itself).  Bruce still has the page on his
site like it's just as true today as it was 7 years ago, which isn't
true at all.  http://www.schneier.com/pptp-faq.html

Sample chapter from the book "Anatomy of a Hack", sample chapter went
online just this month, explains it best:
The reaction was shock: "Oh no, we can't use PPTP. It is insecure.
$TrustedSecurityExperts have found flaws in it." That was partially
true. A couple of years prior, two security researchers had written a
paper on security problems in PPTP. However, Microsoft had fixed all
those problems and released a new version of PPTP. (As a sidenote,
only two relatively minor DoS vulnerabilities have been found in PPTP
since that fix went out, about seven years ago now.) When informed of
this, the customer replied, "Well, but $TrustedSecurityExperts say it
is still insecure." That was also true. The same researchers had
concluded that although the update addressed all the problems, the
protocol was still only as secure as the passwords users used in their

PPTP isn't the best VPN protocol in the world, but it isn't the
disaster today that many make it out to be (and that it was in
Microsoft's implementation at one point).

In production environments with a security budget, I typically use
Cisco VPN client software to connect to a Cisco router, PIX, or VPN
concentrator (IPsec, and two-factor authentication capable).  In an
environment that doesn't have the security budget, it's usually
m0n0wall PPTP VPN.  In the former case, it's typically companies that
have a reason to be paranoid - banks, other financial institutions,
etc.  In the latter, small companies that don't really have much of
anything to worry about (and their internal security is typically so
bad that PPTP is the last thing somebody would attempt to attack if
they were individually targetted - why bother when you can walk in and
walk out with the server, and/or grab passwords off post-it notes).