[ previous ] [ next ] [ threads ]
 
 From:  "Jason Collins" <jason at mammothcomputers dot com>
 To:  "'Daniel Milani'" <daniel dot milani dot 71 at gmail dot com>, <m0n0wall at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall] PPTP Vulnerabilities
 Date:  Sat, 12 Nov 2005 11:14:52 -0600 
I use IPSEC VPN from behind NAT boxes of several different varieties and
vendors without any special rules or configuration.  The box just needs to
support IPSEC passthrough and most do these days.  Just use the IPSEC
connections with the safenet client (or something else if you can configure
it) and you'll be set.

-----Original Message-----
From: Daniel Milani [mailto:daniel dot milani dot 71 at gmail dot com] 
Sent: Saturday, November 12, 2005 8:29 AM
To: m0n0wall at lists dot m0n0 dot ch
Subject: [m0n0wall] PPTP Vulnerabilities

Hello everyone,

I recently set up a computer lab for a group of system administrators (of
which I am one of them). One of the requirements was to be able to remotely
acces the lab using a VPN solution. I decided to use m0n0wall because of
it's robustness, support for 802.1q, and vpn capabilities.
Since my colleagues will be connecting to the lab from behind NAT boxes
(linksys and such), I read that IPSEC would not work; so PPTP was the only
other choice. I also favored this choice because no additional software
(client side) was required.

Yesterday, one of my colleagues sent me these two links.

http://en.wikipedia.org/wiki/PPTP#PPTP_Vulnerabilities
http://asleap.sourceforge.net/


Here is an excerpt from the first link:

>The security of PPTP has been entirely broken and PPTP installations
should be retired or upgraded to another VPN technology. The ASLEAP utility
can quickly recover passwords from PPTP sessions and decrypt PPTP VPN
traffic. PPTP attacks cannot be detected by the client or by the server
because the exploit is passive.The failure of PPTP as a VPN protocol is
caused by cryptographic design errors in the Cisco LEAP and Microsoft
MSCHAP-v2 handshake protocols, and by key length limitations in MPPE. Both
LEAP and MSCHAP-v2 derive session keys from user passwords, which are
cryptographically weak.


I knew PPTP wasn't the most secure of VPN solutions but these links got me
worried.

I am not a security expert so I'm not sure how to interpret these articles.

Is m0n0wall impacted by this?

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch