Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
Re: [suse-security] VPN with pptp
  • From: Maarten J H van den Berg <maarten@xxxxxxx>
  • Date: Thu, 13 Jun 2002 12:48:14 +0200
  • Message-id: <02061312481403.29419@itux>
On Thursday 13 June 2002 11:55, Peter van den Heuvel wrote:
> > > > Just because i often read mails like 'we are using a pptp VPN'
> > > > on this list: pptp is horrible weak and should not be used
> > > > to protect critical channels or to authenticate users.
> > > > A paper can be found at http://stealth.7350.org/chap.pdf.
> > > > I know it doesnt help in this case but I hope it helps
> > > > one to decide against pptp :)
> > >
> > > So what do u recommend that people use instead of pptp
> >
> > Definitely IPsec!
> >
> :>) That's both a matter of both taste and requirements.

Well, sure. But from what I understood IPsec implements the underlying
security mechanisms that are being / will be used by IPv6. Also, it is
widely adopted, not only by microsoft and cisco, but in practice by just
about anyone. If you buy a DSL-router that sports VPN support, you can
bet it's based on IPsec. So, standards-wise, you can't go wrong with IPsec

> > the install script does everything for you; patch the kernel, build &
> > install it :-)
>
> The less kernel patches required, the better I like it.

The suse kernel (binary) IS patched AFAIK. It's just that a new
hand-installed kernel from sources doesn't have IPsec out of the box.
Just like reiserFS in 2.2 days, and Raid v0.90. If you don't want to
patch your kernel, fine. I however, have no problems with that.
I don't run custom kernels on my desktops and workstations, but I surely
do on dedicated webserver, firewalls et al. Feel free to disagree though
;-)

> > The configuration is more of a challenge, I just printed out some 120
> > pages of docs and read them very patiently and extensively (Though
> > when it comes to security- critical software you should do this
> > anyway...!!)
>
> The simpler it is the better I like it (both from a maintenance as well
> as a security point of view). Complex -> much code -> many bugs. Much
> configuration -> much time and many mistakes that are hard to find.

It is not so complex, maybe I went and exaggerated. Its just a bit of
twiddling with firewallscripts to get it going && keep it secure. If you
really like it _simple_ you can always add some rule like
ipchains -A FORWARD -j ACCEPT
but I rather like it 'more complex', hence safer... ;-))

> Also have a look at cipe.
> - It's not a standard (no co-op with Cisco and friends).
> - It's a module without kernel patches.
> - It runs on most Microsoft platforms.
> - It uses UDP for transport (never use TCP for serious tunnelling).
> - It's got one small config file (and even that causes enough problems
> to those who don't know - their networking basics).

same as with freeswan...

> - It supports IPTABLES NAT and bridging.
> - There is some version confusion right now (I'm using a snapshot till
> that sorts itself out).
> - It's got a good security track record.
> - I used it for years and am very satisfied.
>
> So it fits my taste and requirements best. You should have a look
> around and decide for yourself.

Why, of course. Many roads lead to Rome, as they say. :-)

Maarten

--

Maarten J. H. van den Berg ~~//~~ network administrator
VBVB - Amsterdam - The Netherlands - http://vbvb.nl
T +31204233288 F +31204233286 G +31651994273

< Previous Next >