[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: VPN
>>how do i set up a vpn with madrake and 98 se over cable/dial up
>>and if so can there be more then one ip hooked up to the vpn if
>>the host is cable
>The term "VPN" (virtual private network) is an _extremely_generic_
>and _arbitrary_ term. There are endless ways to setup a "VPN", some
>secure, some not -- many with a sense of "false security" as even
Agree.
>Microsoft itself has found out (a home user connected to its network
>with a VPN solution and the XP code was swipped as the home user's
>system had been compromised).
Security of the connection is irrelevent if either end can be compromised, I do not think this is actually a "VPN" problem.
>And even though there is an IETF "standard" for VPN, IPSec, it is
>still not complete. As such, an endless number of vendor-standards
>have emerged.
Agree, IPSec is a pain to work with. My solution: don't use IPSec
>The most popular is CheckPoint's Firewall-1 solution. CheckPoint is
>a software-only solutions company so they can be neutral. There are
>some free/OSS CheckPoint-compatible servers/clients now for Linux.
>Unfortunately, I do not know of a free client for Windows.
Free Win32 VPN clients (other than those provided with Dial-Up Networking) are both rare and lousy.
>Microsoft includes a "Virtual Private Networking Adapter" under
>Networking in newer Windows versions. This is know as Microsoft's
>PPTP (point-to-point tunnel protocol). I know many companies using
>this protocol, and most people just blindly used it as it is
>included with Windows. There is even a pptp server daemon for Linux
>(as well as client), and a modified ppp daemon that adds Windows
>compatibility.
The URL for PoPToP (the PPTP VPN server for Linux) is:
http://poptop.lineo.com/
This service is VERY solid, I have a had one running for >420 days.
The PPTP Linux client is at:
http://www.scooter.cx/alpha/pptp.html
http://cag.lcs.mit.edu/~cananian/Projects/PPTP/
The works well under 2.2.x kernels. 2.4.x kernel users (including me) have experienced some pain, but more recent version claim to fix this. I have not yet tried the solution.
>Unfortunately, MS' PPTP implementation is _easily_compromised_.
>From the lack of random seed (not even poor primes -- I mean it does
>*NOT* do random seeding at all!), to predictable packet sizes and
>organization, PPTP is barely better than doing things in clear
>text. I'm currently arguing with a client _against_ using PPTP.
A FAQ about the security of PPTP is found at:
http://www.counterpane.com/pptp-faq.html
It is also discussed at:
http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html
PPTP is NOT the ultimate in VPN technology, it basically adds a PITA factor to someone wanting to snag your data. The Linux PoPToP server, and recent Win32 PPTP clients (> some version of Win98) provide mechanism to alleviate the flaws in PPTP regarding high-jacking connections, etc... but PPTP uses the password as a basis for creating the crypto-keys, which means the data stream can be brute forces (with not all that much "brute"). Given that Win32 clients (invariably what most people have at home) can only manage a PPTP connection and that PoPToP can refuse connections that are using small keys and don't support periodic key changes (mppe-stateless) I think it is reasonable to use for non-sensitive data transport. If your moving extremely sensitive information don't use PPTP. Of course, if your accessing sensitive information via the Internet, WHAT THE HECK ARE YOU DOING USING A WIN32 CLIENT!!!!
>In general, I do *NOT* like VPNs -- the Microsoft XP source swipe is
>a perfect example. If one node in the whole net is compromised,
>everything is.
The VPN server should NOT completely trust VPN'd clients and should (via NetFilter/IPChains, etc...) limit access. This is the crunchy-on-the-outside-but-chewy-on-the-inside security problem: internal networks should have safeguards as well, since that is from whence MOST hostile actions originate.
Another issue with PPTP, although not secuerity realted, is that many firewalls/border-routers gag on the GRE (protocol 47) packets used by PPTP for session management. This includes Linux (unless patched) and MANY commerical products. The same is true for some versions of IPSec, although for reasons other than GRE (see the mail archives).
>I prefer to use SSH (secure shell) and tunnel only
>select ports. VNC, SMTP/POP3/IMAP4, even NFS ... although SMB (aka
>"Windows Networking") does not tunnel over SSH. But I wouldn't want
>to tunnel SMB anyway as that would expose my LAN to the numerous SMB
>worms that currently affect many Windows users without their knowing
>(and are harmless in standalone, LAN-less homes.
Agree SMB/CIFS is hopelessly insecure. Look at my Samba Nitty Gritty presentation. The protocol is simply far to bloated and complex to trust, and servers have to support multiple version to work-with down-grade clients which means that any purported security improvements are irrelevent unless you have draconian control over who/what ethernet-jacks into your network. And what sys-admin has that? Certainly not me. Management invariably thinks that it is cool for a consultant/sales-flunky to be able to want into a conference room, plug in, and via dhcp be on the Internet in <30 seconds.
Management: "Security is our number one concern!"
Translation: "I saw an article in the Wall Street Journal about how the New York Times web site was defaced and I don't want that to happen to us. What! You mean I have to make up a new password EVERY 45 DAYS?!!! Thats just way too hard"
>If you want to discuss this more, you need to let us know _exactly_
>what you need to do. That way I'll know what you need and what your
>options are.
Win2000 does come with IPSec support? I think. One could probably find a VPN service on Linux what would support those. Take a look at FreeSWAN:
http://www.freeswan.org/intro.html
CIPE is another VPN technology. Take a look at:
http://sites.inka.de/~W1011/devel/cipe.html
Maybe VPN-ness would be a good presentation topic?