Re: PPTP vs. SSL

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: Kurt Granroth
Date:  
To: Main PLUG discussion list
Subject: Re: PPTP vs. SSL
jordi laforge wrote:
> I'm trying to provide a roadwarrior situation. Here is what I'm looking at:
> Small 8-12 user lan.
> 4-5 of these users have home pc's(Windows) that they'd like to use to
> connect to the
> office and user the file server\ email\ databases.
> The windows file server has PPTP capabilities.
>
> I could either use the Windows PPTP or setup another server running
> Linux with openvpn. Or something else I haven't thought of....but you
> guys suggest.
> Whaddya think?


Okay, it sounds like you're not all that familiar with VPNs in general,
based on your comments here and in later messages. I *strongly* suggest
doing some quick reading on that topic first before getting into
specifics. The 'howstuffworks' entry on VPNs is not half-bad and the
wikipedia page is excellent.

Here's the very very short summary: A VPN would allow your 'road
warriors' to connect to the home office while they are at home or on the
road. The user's remote laptop or desktop would get a special IP that
is specific to the VPN through which all traffic to work is 'tunneled'
in an encrypted manner. Done properly, the remote worker would be able
to access ALL of the services that she could normally access while in
the office... but in a safe and secure manner over the public Internet.

Now PPTP has the advantage here of being very easy to setup and if you
have one of the Windows Servers, then you have half of it already nearly
setup. You would need to get clients for any Linux users, but that's
not a problem as I'm fairly certain that there is now "native" support
in the kernel.

HOWEVER, PPTP is considered to be fundamentally broken by some respected
cryptographers. A quote from Bruce Schneier: "Microsoft PPTP is very
broken, and there's no real way to fix it without taking the whole thing
down and starting over."

http://www.schneier.com/pptp-faq.html

OpenVPN is a free solution that has so far been proven to be rock-solid.
It is, however, not as easy to setup as PPTP. In fact, if you want to
do anything more than a peer-to-peer setup, you will likely have to do a
considerable bit of reading and some configuration file editing.

Mind you, while the reading is verbose, it's not hard to understand and
it shouldn't take more than a few hours to get everything setup. I'm
told, too, that some of the GUIs available make it a lot easier (haven't
used any of them) and some of the specialized distros like Smoothwall
and IPCop should make it even easier yet.

Now this is a Linux group so we'll tend to lean towards using Linux
based solution for the "server" side. I'm honor bound to tell you,
though, that you don't have to. OpenVPN is fundamentally a peer-to-peer
VPN (with some variances) and works just dandy on Windows. So you
*could* run it as a service on your Windows Server and it would likely
chug away just fine. There is even a handy GUI for it.

I recommend starting with some reading:

http://openvpn.net/howto.html
http://openvpn.net/INSTALL-win32.html
http://openvpn.se/
---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss