Mailinglist Archive: opensuse-security (499 mails)

< Previous Next >
Re: [suse-security] VPN with pptp
  • From: Peter van den Heuvel <peter@xxxxxxxxxxxxxxxx>
  • Date: Thu, 13 Jun 2002 11:55:38 +0200
  • Message-id: <3D086C1A.BB58CF47@xxxxxxxxxxxxxxxx>
> > > Just because i often read mails like 'we are using a pptp VPN'
> > > on this list: pptp is horrible weak and should not be used
> > > to protect critical channels or to authenticate users.
> > > A paper can be found at http://stealth.7350.org/chap.pdf.
> > > I know it doesnt help in this case but I hope it helps
> > > one to decide against pptp :)

> > So what do u recommend that people use instead of pptp

> Definitely IPsec!
:>) That's both a matter of both taste and requirements.

> the install script does everything for you; patch the kernel, build & install it :-)
The less kernel patches required, the better I like it.

> The configuration is more of a challenge, I just printed out some 120
> pages of docs and read them very patiently and extensively (Though when
> it comes to security- critical software you should do this anyway...!!)
The simpler it is the better I like it (both from a maintenance as well
as a security point of view). Complex -> much code -> many bugs. Much
configuration -> much time and many mistakes that are hard to find.

Also have a look at cipe.
- It's not a standard (no co-op with Cisco and friends).
- It's a module without kernel patches.
- It runs on most Microsoft platforms.
- It uses UDP for transport (never use TCP for serious tunnelling).
- It's got one small config file (and even that causes enough problems
to those who don't know - their networking basics).
- It supports IPTABLES NAT and bridging.
- There is some version confusion right now (I'm using a snapshot till
that sorts itself out).
- It's got a good security track record.
- I used it for years and am very satisfied.

So it fits my taste and requirements best. You should have a look around
and decide for yourself.

Peter

< Previous Next >