to 4 Terabytes and the ability to scan live off the air using a Wireless LAN card and a regularsniffer in Microsoft Windows. As a result, Wireless LAN hotspots have just became deadly toPPTP authentication and those who use PPTP to substitute for real Datalink layer WirelessLAN security aren’t spared either and are wide open to password cracking. When Joshua Wright reported this to Microsoft’s official security response team, Microsoftgave this official response.
Implement and enforce a strong password policy.
If users wish to continue using PPTP, they should employ EAP-TLS authenticationinstead of the default MSCHAPv2 authentication mechanism.
Switch to an L2TP/IPSEC based VPN.Here is my assessment and recommendations on this advice:
The problem with the first recommendation is that strong passwords are rarely implemented in reality and are very difficult for the users to use. The fact that the users will probably end up writing their passwords down in a convenient place will probably domore harm than good. Bill Gates is absolutely right when he says "the password is dead".
As for using EAP-TLS authentication with PPTP, this is a strong solution and it willprotect weak passwords during PPTP authentication. However, implementing EAP-TLSauthentication with Microsoft PPTP requires server-side "Computer Certificates" and itrequires client-side "User Certificates". Automatically deploying "Computer Certificates"on a Microsoft Windows 2000 or 2003 Active Directory based network is relatively simple, but "User Certificate" aren’t so simple. You have to have Windows 2003Enterprise Edition server to support automatic "User Certificate" enrollment.
Converting to an L2TP/IPSEC base is probably the best advice here and you would beusing standards based IPSEC 3DES encryption. Since L2TP only requires "ComputerCertificates" on both the Server and Client, the Certificates can be automatically deployed by Windows 2000 or Windows 2003 Standard Edition shops. Note that in order for L2TP VPN to be practical, you must have Microsoft’s latest NAT-T capable VPN client freely available for all versions of Windows. Windows XP SP2 has a built in NAT-T client, but itis partially crippled by default and this is explained in an earlier story. You can fix it if youread this Knowledge Base article. For more information on Microsoft’s L2TP and DigitalCertificates, you can go here and here.Unrelated to Microsoft, there are many firewall appliances and Open Source projects that usePPTP with MSCHAPv2 authentication. For those organizations that fit in to this category, therecommendation is the same and they should switch to an L2TP/IPSEC VPN solution.Fortunately for them, L2TP and Digital Certificates are fully supported by Open Source. Youcan get some good information on Open Source L2TP implementations here.
George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.
Popular on CBS sites: Fantasy Football | Miley Cyrus | MLB | iPhone 3G | GPS | Recipes |Shwayze | NFL Visit other CBS Interactive Sites
Page 2 of 3PPTP VPN authentication protocol proven very susceptible to attack | George Ou | ZDNet...9/14/2008http://blogs.zdnet.com/Ou/index.php?p=21