[svlug] PPTP?

George Bonser george at shorelink.com
Sat Jul 21 19:13:02 PDT 2001


In a situation where a VPN solution has been adopted that caters to mainly
Microsoft clients, you are pretty much limited to PPTP and L2TP. You can
forget about getting management to make their IT staff learn anything
about SSH if they don't want to.  

Imagine they have a VPN solution and 100 employees.  Their solution works
for 98 of them and requires no training of employees about packets and
such.  They just want to sit in the driver's seat, turn the key, and have
the engine start. They really do not care about optimum fuel/air ratios,
vacuum advance, etc.

For a technology to be wildly successful and widely adopted, it has to
have utility without the user having to understand the underlying
principles at all.  Click the icon, type in a password, and you are in.

As a linux user in such an environment, you are probably just going to
need to make PPTP work, find a working L2TP for Linux (hen's teeth last
time I looked) or do something really sneaky like have a machine inside
the protected network make an OUTBOUND connection to you using something
like VTUN in its TCP mode or httptunnel.

This is really one of the reasons Linux has lagged somewhat in wider
adoption. There is more emphasis on technical elegance or
"correctness" than on utility and interoperability with other available
stuff.  The two most useless kinds of software are the ones that are never
released because they are never "perfect" and those that are "perfect" but
require such an understanding of the technology that nobody really uses
it.  The Open Source community produces a "Beta" ( as in the old VCR
technology ) every month, it seems.  Much more advanced and
technologically superior but only the elite can use it.

In this case there is are some clear choices:

1. Convince management to change to SSH and train all the employees how to
use it.

2. Try to make your linux box work with the existing solution.

3. Try to develop an alternative Linux solution that works and is easy to
use if not the best possible in the technical sense.

Most people are not handling national security information. Unless they
are handling financial data ( such as processing credit card numbers or
other account numbers ) weak encryption for data transfer is probably
fine.  You are mostly trying to stop people from idly snooping network
traffic for passwords.  Anyone that has already penetrated your net enough
to watch your 40-bit encrypted traffic and decrypt it can probably also
decrypt 128-bit traffic too. You are probably dealing with someone of
substantial means at that point and the only thing you are buying with the
additional encryption is time.  I have also never heard of a single
incident in real life where an outsider penetrated a network, collected
encrypted network traffic, decoded it, and did anything with it.  If they
have penetrated the network, they would probably go after the data
directly on the disks than trying to catch the parts that fly through the
ether(net).

Once inside your net, it is easier to grab your password via various SMB
utils from that print server than to try to crack network data encryption.

Your best security is at the door. In most cases, the VPN should be used
for access control to a network that is not accessable by the
public. If the data is that sensative as to require 1024-bit encryption,
you should probably not be allowing access to it from outside the building
anyway.






More information about the svlug mailing list