Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Standard view
Full view
of .
Look up keyword
Like this
0 of .
Results for:
No results containing your search query
P. 1
Pptp VPN Security

Pptp VPN Security

Ratings: (0)|Views: 66|Likes:
Published by rajunair

More info:

Published by: rajunair on Mar 26, 2009
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less





Real World IT
George Ou
December 17th, 2004
PPTP VPN authentication protocolproven very susceptible to attack 
Posted by George Ou @ 11:07 am
Later today, Joshua Wright will release an upgraded version of his ultra-high speed passwordcracking tool called ASLEAP . For those of you already familiar with ASLEAP, you might be wondering what this has to do with Microsoft’s PPTP VPN protocol since ASLEAP is a LEAPauthentication dictionary attack tool. Well that was then and this is now. ASLEAP just addedPPTP authentication support so that it can crack PPTP VPN authentication sessions just aseasily as it could with LEAP Wireless LAN authentication. The end result is that we have yetanother authentication protocol that has outlived its lifespan and just goes to show that BillGates wasn’t kidding when he declared the password dead.Three months ago, I was trying to explain the difference between PPTP and L2TP VPN to afriend while working on a breaking story on SP2 where Windows XP SP2 broke NAT-Toperation in L2TP VPN by default. As I was trying to explain the differences, I noticed how similar PPTP authentication was to LEAP authentication where both relied solely onMSCHAPv2 to protect the user’s password. I sent word to Joshua Wright and he immediately said that it would be possible to modify ASLEAP to work on PPTP just as it did on LEAPauthentication. Three months later, the code is fully operational and I’ve had a chance to verify its effectiveness. ASLEAP was created in 2003 by Joshua Wright to prove that a password based authenticationsystem like Cisco LEAP is not a secure because of one glaring weakness, it relies on humans tomemorize strong passwords. Eight months later in mid 2004 after Cisco had a chance torelease an updated protocol to LEAP, Joshua released ASLEAP on to SourceForge. PPTP is aMicrosoft VPN protocol published as an RFC in 1999 for secure remote access. In recent years,it has grown to be used in many Microsoft based networks, firewall appliances, and even pureLinux and Open Source environments. Strictly speaking, there never was anything technically  wrong with the LEAP or PPTP MSCHAPv2 authentication protocol since they both worked asadvertised. Both Cisco and Microsoft warned from the very beginning that strong passwordsmust be employed when using password based authentication schemes. Unfortunately, strongpasswords (or even strong pass phrases) are simply incompatible with most Homo sapiens andif you force the issue, they will go out of their way to make it easy by writing passwords downon a sticky note and taping it to their monitor. Since strong passwords are rarely implementedin practice, you have a situation where
the product simply isn’t safe enough to protectus from ourselves
. As Bruce Schneier likes to say, "any password you can reasonably expecta user to remember can be brute forced or guessed". ASLEAP just happens to make that pointabundantly clear since it had the ability to scan through a 4 GB pre-computed password hashtable at a rate of 45 million passwords a second using a common desktop computer. This new  version of ASLEAP not only adds PPTP compatibility, but also extends maximum database size
Page 1 of 3PPTP VPN authentication protocol proven very susceptible to attack | George Ou | ZDNet...9/14/2008http://blogs.zdnet.com/Ou/index.php?p=21
to 4 Terabytes and the ability to scan live off the air using a Wireless LAN card and a regularsniffer in Microsoft Windows. As a result, Wireless LAN hotspots have just became deadly toPPTP authentication and those who use PPTP to substitute for real Datalink layer WirelessLAN security aren’t spared either and are wide open to password cracking. When Joshua Wright reported this to Microsoft’s official security response team, Microsoftgave this official response.
Implement and enforce a strong password policy.
If users wish to continue using PPTP, they should employ EAP-TLS authenticationinstead of the default MSCHAPv2 authentication mechanism.
Switch to an L2TP/IPSEC based VPN.Here is my assessment and recommendations on this advice:
The problem with the first recommendation is that strong passwords are rarely implemented in reality and are very difficult for the users to use. The fact that the users will probably end up writing their passwords down in a convenient place will probably domore harm than good. Bill Gates is absolutely right when he says "the password is dead".
 As for using EAP-TLS authentication with PPTP, this is a strong solution and it willprotect weak passwords during PPTP authentication. However, implementing EAP-TLSauthentication with Microsoft PPTP requires server-side "Computer Certificates" and itrequires client-side "User Certificates". Automatically deploying "Computer Certificates"on a Microsoft Windows 2000 or 2003 Active Directory based network is relatively simple, but "User Certificate" aren’t so simple. You have to have Windows 2003Enterprise Edition server to support automatic "User Certificate" enrollment.
Converting to an L2TP/IPSEC base is probably the best advice here and you would beusing standards based IPSEC 3DES encryption. Since L2TP only requires "ComputerCertificates" on both the Server and Client, the Certificates can be automatically deployed by Windows 2000 or Windows 2003 Standard Edition shops. Note that in order for L2TP VPN to be practical, you must have Microsoft’s latest NAT-T capable VPN client freely available for all versions of Windows. Windows XP SP2 has a built in NAT-T client, but itis partially crippled by default and this is explained in an earlier story. You can fix it if youread this Knowledge Base article. For more information on Microsoft’s L2TP and DigitalCertificates, you can go here and here.Unrelated to Microsoft, there are many firewall appliances and Open Source projects that usePPTP with MSCHAPv2 authentication. For those organizations that fit in to this category, therecommendation is the same and they should switch to an L2TP/IPSEC VPN solution.Fortunately for them, L2TP and Digital Certificates are fully supported by Open Source. Youcan get some good information on Open Source L2TP implementations here.
George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.
Popular on CBS sites: Fantasy Football | Miley Cyrus | MLB | iPhone 3G | GPS | Recipes |Shwayze | NFL Visit other CBS Interactive Sites
Select SiteGo
Page 2 of 3PPTP VPN authentication protocol proven very susceptible to attack | George Ou | ZDNet...9/14/2008http://blogs.zdnet.com/Ou/index.php?p=21

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->