[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VPN

To: members@xxxxxxxxxxxxxxxxxx
Subject: Re: VPN
From: Adam Tauno Williams <adam@xxxxxxxxxxxxxxxx>
Date: Mon, 14 May 2001 10:32:59 -0400 (EDT)
In-Reply-To: <3AFD577E.8D5D0C26@ieee.org>
References: <004d01c0da94$4ea90a90$4601a8c0@Diablo> <3AFCB750.B73B188@ieee.org> <20010512110103.73b88072.awilliam@whitemice.org> <3AFD577E.8D5D0C26@ieee.org>
User-Agent: IMP/PHP IMAP webmail program 2.2.1

>>Security of the connection is irrelevent if either
>>end can be compromised,  I do not think this is actually
>>a "VPN" problem.
>Yes, but some VPN solutions can be directly hacked.  Microsoft's
>PPTP implementation is one such encrypted tunneling that can be
>circumvented without much effort in a "brute force" method -- e.g.,
>it's lack of use of any primes, it's fixed packet sizes, and several
>other details.  Even better is its inability to even detect a
>"man-in-the-middle" attack as it does NOT do any key checking before
>attaching to the host (it blindly trusts the route and target IP as
>authentic).
>>Agree, IPSec is a pain to work with.  My solution: don't use IPSec
>I have been meaning to fart with some of the international Linux
>kernels and patches that add IPSec right into the kernel.  I know
>the SmoothWall project was looking to use this so people could do
>VoIP encrypted and quite transparently.

For VoIP have you looked at GnoPhone and Asterisk (Open Source PBX)?  Hardware 
support is a little sparse,  but then hardware to do that is still pretty rare.
 
>>Free Win32 VPN clients (other than those provided with Dial-Up
>>Networking) are both rare and lousy.
>Yes, and I've used a select set of commercial ones that weren't much
>better.
>>The URL for PoPToP (the PPTP VPN server for Linux) is:
>>http://poptop.lineo.com/
>>This service is VERY solid,  I have a had one running for >420 days.
>>The PPTP Linux client is at:
>>http://www.scooter.cx/alpha/pptp.html
>>http://cag.lcs.mit.edu/~cananian/Projects/PPTP/
>The Linux PoPToP implemention *IS* very secure and capable between
>Linux clients and Linux servers.  Unfortunately, connecting a
>Windows "Virtual Private Networking Adapter" client to the same
>server brings its compromising features to the server.
>>A FAQ about the security of PPTP is found at:
>>http://www.counterpane.com/pptp-faq.html
>>It is also discussed at:
>>http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html
>>PPTP is NOT the ultimate in VPN technology,  it basically
>>adds a PITA factor to someone wanting to snag your data.
>>The Linux PoPToP server, and recent Win32 PPTP clients
>>(> some version of Win98) provide mechanism to alleviate
>>the flaws in PPTP regarding high-jacking connections, etc...
>Oh, I didn't know that.  I would be using 98 SE.

I said "alleviate" not "fix",  same as "treatment" vs. "cure".  The stateless 
(mppe) keys do make it quite difficult to do a man in the middle.

>>but PPTP uses the password as a basis for creating the crypto-
>>keys,
>As I mentioned, poor key generation.
>>which means the data stream can be brute forces (with not
>>all that much "brute").
>Exactomundo!
>>Given that Win32 clients (invariably what most people have
>>at home) can only manage a PPTP connection and that PoPToP
>>can refuse connections that are using small keys and don't
>>support periodic key changes (mppe-stateless) I think it is
>>reasonable to use for non-sensitive data transport.
>So is plain text.  ;-PPP

I think even the most trivial encryption is much better than plain text,  
because it requires more than a simple RPM of ethereal.  Someone then has to 
WANT the data,  they can't stumble onto it.  The content of something like a 
telnet connection basically jumps into the lap of anyone using a packet sniffer.

>>If your moving extremely sensitive information don't use
>>PPTP.  Of course,  if your accessing sensitive information
>>via the Internet,  WHAT THE HECK ARE YOU DOING USING A WIN32
>>CLIENT!!!!
>Not me, just a client.  You're talking to a 100% Linux guy.
>>The VPN server should NOT completely trust VPN'd clients and
>>should (via NetFilter/IPChains, etc...) limit access.  This is
>>the crunchy-on-the-outside-but-chewy-on-the-inside security
>>problem:  internal networks should have safeguards as well,
>>since that is from whence MOST hostile actions originate.
>Agreed.  But Windows wennies want transparent SMB access.

Yep.

>>Another issue with PPTP, although not secuerity realted, is
>>that many firewalls/border-routers gag on the GRE (protocol
>>47) packets used by PPTP for session management.  This
>>includes Linux (unless patched) and MANY commerical products.
>>The same is true for some versions of IPSec,  although for
>>reasons other than GRE (see the mail archives).
>Been there, seen that.
>>Agree SMB/CIFS is hopelessly insecure.  Look at my Samba
>>Nitty Gritty presentation.  The protocol is simply far to
>>bloated and complex to trust,  and servers have to support
>>multiple version to work-with down-grade clients which means
>>that any purported security improvements are irrelevent
>>unless you have draconian control over who/what ethernet
>>-jacks into your network.  And what sys-admin has that?
>>Certainly not me.  Management invariably thinks that it is
>>cool for a consultant/sales-flunky to be able to want into
>>a conference room,  plug in, and via dhcp be on the Internet
>>in <30 seconds.
>That's why I run a Linux-based DHCP server and MAC address
>everything.  Of course, most of my traffic is still in clear-text.

So do you create an entry in dhcpd.conf for every NIC?  Or is there a more 
intelligent way to do it.  How do you handle machines that rove between subnets?
 
>As far as SSH, I have tunneled NFS over it.  NFS Windows clients are
>$149 c/o Microsoft's Services For UNIX (SFU) product -- which is a
>license of various things from other vendors.  The NFS client/server
>is the AccessNFS product from Intergraph/Sun.  Piss poor server,
>tolerable client.  Hummingbird's MaestroNFS (formerly from
>Beam&Whiteside) is much more capable, flexible (e.g., NIS-aware) and
>GUI-friendly, but it uses proprietary locking that takes issue with
>most lockd's (basically, if you use Hummingbird, don't use Samba on
>any servers they connect to).  It's also $300+ though.
>>Management: "Security is our number one concern!"
>>Translation: "I saw an article in the Wall Street Journal
>>about how the New York Times web site was defaced and I
>>don't want that to happen to us.  What!  You mean I have
>>to make up a new password EVERY 45 DAYS?!!!  Thats just
>>way too hard"
>Actually, I think it is more important to pick a better password in
>the first place and only change it every year or so.  If you have
>your users changing them too often, you just get either variations
>of the first one, or simplistic ones or ones they forget (and you
>end up leaving a sticky on their monitor with it ;-).

They'll put a sticky note on their monitor no matter what.  Since I use Samba 
to handle password changes I can script the back end.  I'm working on a way to 
create a "password pile" so that passwords can't be re-used....ever.

Systems and Network Administrator
Morrison Industries
1825 Monroe Ave NW.
Grand Rapids, MI. 49505

References:
- VPN
  - From: Tj
- Re: VPN
  - From: Bryan J. Smith
- Re: VPN
  - From: Adam Tauno Williams
- Re: VPN
  - From: Bryan J. Smith

Prev by Date: Re: Which external modem should I get
Next by Date: Hello
Prev by thread: Re: VPN
Next by thread: Re: VPN
Index(es):
- Date
- Thread