|
||||||||
Hello everyone, I recently set up a computer lab for a group of system administrators (of which I am one of them). One of the requirements was to be able to remotely acces the lab using a VPN solution. I decided to use m0n0wall because of it's robustness, support for 802.1q, and vpn capabilities. Since my colleagues will be connecting to the lab from behind NAT boxes (linksys and such), I read that IPSEC would not work; so PPTP was the only other choice. I also favored this choice because no additional software (client side) was required. Yesterday, one of my colleagues sent me these two links. http://en.wikipedia.org/wiki/PPTP#PPTP_Vulnerabilities http://asleap.sourceforge.net/ Here is an excerpt from the first link: >The security of PPTP has been entirely broken and PPTP installations should be retired or upgraded to another VPN technology. The ASLEAP utility can quickly recover passwords from PPTP sessions and decrypt PPTP VPN traffic. PPTP attacks cannot be detected by the client or by the server because the exploit is passive.The failure of PPTP as a VPN protocol is caused by cryptographic design errors in the Cisco LEAP and Microsoft MSCHAP-v2 handshake protocols, and by key length limitations in MPPE. Both LEAP and MSCHAP-v2 derive session keys from user passwords, which are cryptographically weak. I knew PPTP wasn't the most secure of VPN solutions but these links got me worried. I am not a security expert so I'm not sure how to interpret these articles. Is m0n0wall impacted by this? |