Connecting to Microsoft VPN

Nigel Wade nmw at ion.le.ac.uk
Wed May 5 08:41:52 UTC 2004 

Christoph Wickert wrote:
> Am Di, den 04.05.2004 schrieb Gary Stainburn um 14:43:
> 
>>However, if you search the net, you will find MANY documents telling you why  
>>you should not do this.  PPTP is a VERY insecure method.
>>
> 
> Hey, I never told anybody to use PPTP. In fact, I usually tell people to
> use OpenVPN or IPSec.
> 
> 
>>(Sorry bit I can't cite anything specific here as it's a while since I 
>>investigated this stuff - I decided on the more restrictive but more secure 
>>port forwarding over SSH. (Other methods are available. No guarantee is 
>>provided either implied..........you know what I mean)).
> 
> 
> short:
> http://www.schneier.com/pptp.html
> long:
> http://www.schneier.com/paper-pptpv2.html
> 
> Quote:
> "7 Conclusions
> Microsoft has improved PPTP to correct the major security weaknesses
> described in [SM98]. However, the fundamental weakness of the
> authentication and encryption protocol is that it is only as secure as
> the password chosen by the user."
> 
> Ok, it all depends on the password (and not on keys or certs). Now take
> a look at: 
> http://mopo.informatik.uni-freiburg.de/pptp_mschapv2/pptp_mschapv2.html
> 
> Quote:
> "Conclusions
> While testing this software, we used a dictionary of about three
> gigabytes containing about 74 million words. Equipped with this, we were
> able to derive all passwords used in our test network in about four
> hours. 
> 
> It is true that dictionary attacks tend to fail on good passwords, but
> it is enough to have one password to break into a system. The step to
> gaining root access (or doing any other kind of abuse) from there is
> small."
> 
> So I fully agree with you, Garry: Everybody, please do not use pptp. It
> might be sufficient for a dialup with your laptop, but I would not dare
> using it for a production system.
> 
> Christoph
> 
> 

You failed to quote one very important assumption, and missed off a major 
conclusion:

"The next step is to audit a valid authentication. To do this, you need an 
IEEE 802.11b compatible wireless device, available in the computer store of 
your choice. Equipped with this, you can immediately audit all wireless 
network traffic if WEP encryption isn't used."

"With this said, it is clear why we believe Microsoft's PPTP implementation 
isn't suitable for securing wireless networks."

Their analysis and conclusions are only valid for a wireless network 
*without WEP*, or a network where network sniffers can be employed to access 
a valid authentication sequence and obtain a suitable challenge/response.


-- 
Nigel Wade, System Administrator, Space Plasma Physics Group,
             University of Leicester, Leicester, LE1 7RH, UK
E-mail :    nmw at ion.le.ac.uk
Phone :     +44 (0)116 2523548, Fax : +44 (0)116 2523555

More information about the users mailing list