[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: VPN

To: members@xxxxxxxxxxxxxxxxxx
Subject: Re: VPN
From: "Bryan J. Smith" <b.j.smith@xxxxxxxx>
Date: Sat, 12 May 2001 11:32:14 -0400
Organization: SmithConcepts/Personal
References: <004d01c0da94$4ea90a90$4601a8c0@Diablo> <3AFCB750.B73B188@ieee.org> <20010512110103.73b88072.awilliam@whitemice.org>
Sender: bjsmith@xxxxxxxxxxxxxxxxx

Adam Tauno Williams wrote:
> Security of the connection is irrelevent if either
> end can be compromised,  I do not think this is actually
> a "VPN" problem.

Yes, but some VPN solutions can be directly hacked.  Microsoft's
PPTP implementation is one such encrypted tunneling that can be
circumvented without much effort in a "brute force" method -- e.g.,
it's lack of use of any primes, it's fixed packet sizes, and several
other details.  Even better is its inability to even detect a
"man-in-the-middle" attack as it does NOT do any key checking before
attaching to the host (it blindly trusts the route and target IP as
authentic).

> Agree, IPSec is a pain to work with.  My solution: don't use IPSec

I have been meaning to fart with some of the international Linux
kernels and patches that add IPSec right into the kernel.  I know
the SmoothWall project was looking to use this so people could do
VoIP encrypted and quite transparently.

> Free Win32 VPN clients (other than those provided with Dial-Up
> Networking) are both rare and lousy.

Yes, and I've used a select set of commercial ones that weren't much
better.

> The URL for PoPToP (the PPTP VPN server for Linux) is:
> http://poptop.lineo.com/
> This service is VERY solid,  I have a had one running for >420 days.
> The PPTP Linux client is at:
> http://www.scooter.cx/alpha/pptp.html
> http://cag.lcs.mit.edu/~cananian/Projects/PPTP/

The Linux PoPToP implemention *IS* very secure and capable between
Linux clients and Linux servers.  Unfortunately, connecting a
Windows "Virtual Private Networking Adapter" client to the same
server brings its compromising features to the server.

> A FAQ about the security of PPTP is found at:
> http://www.counterpane.com/pptp-faq.html
> It is also discussed at:
> http://kubarb.phsx.ukans.edu/~tbird/vpn/FAQ.html
> PPTP is NOT the ultimate in VPN technology,  it basically
> adds a PITA factor to someone wanting to snag your data.
> The Linux PoPToP server, and recent Win32 PPTP clients
> (> some version of Win98) provide mechanism to alleviate
> the flaws in PPTP regarding high-jacking connections, etc...

Oh, I didn't know that.  I would be using 98 SE.

> but PPTP uses the password as a basis for creating the crypto-
> keys,

As I mentioned, poor key generation.

>  which means the data stream can be brute forces (with not
> all that much "brute").

Exactomundo!

> Given that Win32 clients (invariably what most people have
> at home) can only manage a PPTP connection and that PoPToP
> can refuse connections that are using small keys and don't
> support periodic key changes (mppe-stateless) I think it is
> reasonable to use for non-sensitive data transport.

So is plain text.  ;-PPP

> If your moving extremely sensitive information don't use
> PPTP.  Of course,  if your accessing sensitive information
> via the Internet,  WHAT THE HECK ARE YOU DOING USING A WIN32
> CLIENT!!!!

Not me, just a client.  You're talking to a 100% Linux guy.

> The VPN server should NOT completely trust VPN'd clients and
> should (via NetFilter/IPChains, etc...) limit access.  This is
> the crunchy-on-the-outside-but-chewy-on-the-inside security
> problem:  internal networks should have safeguards as well,
> since that is from whence MOST hostile actions originate.

Agreed.  But Windows wennies want transparent SMB access.

> Another issue with PPTP, although not secuerity realted, is
> that many firewalls/border-routers gag on the GRE (protocol
> 47) packets used by PPTP for session management.  This
> includes Linux (unless patched) and MANY commerical products.
> The same is true for some versions of IPSec,  although for
> reasons other than GRE (see the mail archives).

Been there, seen that.

> Agree SMB/CIFS is hopelessly insecure.  Look at my Samba
> Nitty Gritty presentation.  The protocol is simply far to
> bloated and complex to trust,  and servers have to support
> multiple version to work-with down-grade clients which means
> that any purported security improvements are irrelevent
> unless you have draconian control over who/what ethernet
> -jacks into your network.  And what sys-admin has that?
> Certainly not me.  Management invariably thinks that it is
> cool for a consultant/sales-flunky to be able to want into
> a conference room,  plug in, and via dhcp be on the Internet
> in <30 seconds.

That's why I run a Linux-based DHCP server and MAC address
everything.  Of course, most of my traffic is still in clear-text.

As far as SSH, I have tunneled NFS over it.  NFS Windows clients are
$149 c/o Microsoft's Services For UNIX (SFU) product -- which is a
license of various things from other vendors.  The NFS client/server
is the AccessNFS product from Intergraph/Sun.  Piss poor server,
tolerable client.  Hummingbird's MaestroNFS (formerly from
Beam&Whiteside) is much more capable, flexible (e.g., NIS-aware) and
GUI-friendly, but it uses proprietary locking that takes issue with
most lockd's (basically, if you use Hummingbird, don't use Samba on
any servers they connect to).  It's also $300+ though.

> Management: "Security is our number one concern!"
> Translation: "I saw an article in the Wall Street Journal
> about how the New York Times web site was defaced and I
> don't want that to happen to us.  What!  You mean I have
> to make up a new password EVERY 45 DAYS?!!!  Thats just
> way too hard"

Actually, I think it is more important to pick a better password in
the first place and only change it every year or so.  If you have
your users changing them too often, you just get either variations
of the first one, or simplistic ones or ones they forget (and you
end up leaving a sticky on their monitor with it ;-).

> Win2000 does come with IPSec support?  I think.  One could
> probably find a VPN service on Linux what would support those.
> Take a look at FreeSWAN:
> http://www.freeswan.org/intro.html

I've said no to Windows 2000 (and stuck with NT 4.0), but I'm
starting to open up.  With Samba 2.2 out and other support becoming
available, I may start transitioning to it.

> CIPE is another VPN technology.  Take a look at:
> http://sites.inka.de/~W1011/devel/cipe.html
> Maybe VPN-ness would be a good presentation topic?

Always.

-- TheBS

-- 
Bryan "TheBS" Smith         chat:thebs413 @AOL/MSN/Yahoo
Engineer                       mailto:b.j.smith@ieee.org
********************************************************
"Linux will do for applications what the Internet did to
 networks" -- Sam Palmisano, IBM Chief Operating Officer

Follow-Ups:
- Re: VPN
  - From: Adam Tauno Williams

References:
- VPN
  - From: Tj
- Re: VPN
  - From: Bryan J. Smith
- Re: VPN
  - From: Adam Tauno Williams

Prev by Date: Re: VPN
Next by Date: Which external modem should I get
Prev by thread: Re: VPN
Next by thread: Re: VPN
Index(es):
- Date
- Thread