Re: PPTP vs. SSL

Top Page
Attachments:
Message as email
+ (text/plain)
Delete this message
Reply to this message
Author: George Toft
Date:  
To: Main PLUG discussion list
Subject: Re: PPTP vs. SSL
In a word - no.

Let's assume you are sending a packet with some text via some
application. It gets encrypted, and header/trailer info is added. It
might even get fragmented based on MTU size. At the other end, the
packets get reassembled, unencrypted, and presented to the application.
Since the payload (or data) is encrypted at a higher layer, that
payload remains encrypted in the lower layers.

The reverse is true as well on the other end - once the packets are
reassembled and decrypted, the payload can be read normally. This is
why the VPN endpoint needs to be controlled - once the data is out of
the tunnel, it's fair game to sniff and record.

George Toft, CISSP, MSIS
623-203-1760




jordi laforge wrote:
> Thanks for the information. While I am new to VPNs I do understand the
> concept of how they work. That said I do appreciate all the good info
> you gave and will read those links.
>
> In order to save an email I'd like to include a question I had from one
> of Eric's emails.
> Since SSL vpns work at a higher OSI layer does that mean that the stuff
> at the lower layers is not encrypted? Like mac address and ip address.
> THanks all for answering my questions. You are most helpfull.
>
>
> On 10/21/06, *Kurt Granroth* <
> <mailto:plug-discuss@granroth.org>> wrote:
>
>     jordi laforge wrote:
>      > I'm trying to provide a roadwarrior situation. Here is what I'm
>     looking at:
>      > Small 8-12 user lan.
>      > 4-5 of these users have home pc's(Windows) that they'd like to use to
>      > connect to the
>      > office and user the file server\ email\ databases.
>      > The windows file server has PPTP capabilities.
>      >
>      > I could either use the Windows PPTP or setup another server running
>      > Linux with openvpn. Or something else I haven't thought of....but
>     you
>      > guys suggest.
>      > Whaddya think?

>
>     Okay, it sounds like you're not all that familiar with VPNs in general,
>     based on your comments here and in later messages.  I *strongly* suggest
>     doing some quick reading on that topic first before getting into
>     specifics.  The 'howstuffworks' entry on VPNs is not half-bad and the
>     wikipedia page is excellent.

>
>     Here's the very very short summary: A VPN would allow your 'road
>     warriors' to connect to the home office while they are at home or on
>     the
>     road.  The user's remote laptop or desktop would get a special IP that
>     is specific to the VPN through which all traffic to work is 'tunneled'
>     in an encrypted manner.  Done properly, the remote worker would be able
>     to access ALL of the services that she could normally access while in
>     the office... but in a safe and secure manner over the public Internet.

>
>     Now PPTP has the advantage here of being very easy to setup and if you
>     have one of the Windows Servers, then you have half of it already nearly
>     setup.  You would need to get clients for any Linux users, but that's
>     not a problem as I'm fairly certain that there is now "native" support
>     in the kernel.

>
>     HOWEVER, PPTP is considered to be fundamentally broken by some respected
>     cryptographers.  A quote from Bruce Schneier: "Microsoft PPTP is very
>     broken, and there's no real way to fix it without taking the whole
>     thing
>     down and starting over."

>
>     http://www.schneier.com/pptp-faq.html

>
>     OpenVPN is a free solution that has so far been proven to be rock-solid.
>     It is, however, not as easy to setup as PPTP.  In fact, if you want to
>     do anything more than a peer-to-peer setup, you will likely have to do a
>     considerable bit of reading and some configuration file editing.

>
>     Mind you, while the reading is verbose, it's not hard to understand and
>     it shouldn't take more than a few hours to get everything setup.  I'm
>     told, too, that some of the GUIs available make it a lot easier (haven't
>     used any of them) and some of the specialized distros like Smoothwall
>     and IPCop should make it even easier yet.

>
>     Now this is a Linux group so we'll tend to lean towards using Linux
>     based solution for the "server" side.  I'm honor bound to tell you,
>     though, that you don't have to.  OpenVPN is fundamentally a
>     peer-to-peer
>     VPN (with some variances) and works just dandy on Windows.  So you
>     *could* run it as a service on your Windows Server and it would likely
>     chug away just fine.  There is even a handy GUI for it.

>
>     I recommend starting with some reading:

>
>     http://openvpn.net/howto.html
>     http://openvpn.net/INSTALL-win32.html
>     http://openvpn.se/ <http://openvpn.se/>
>     ---------------------------------------------------
>     PLUG-discuss mailing list - 
>     <mailto:PLUG-discuss@lists.plug.phoenix.az.us>
>     To subscribe, unsubscribe, or to change  you mail settings:
>     http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

>
>
>
> ------------------------------------------------------------------------
>
> ---------------------------------------------------
> PLUG-discuss mailing list -
> To subscribe, unsubscribe, or to change you mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss

---------------------------------------------------
PLUG-discuss mailing list -
To subscribe, unsubscribe, or to change you mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss