- Posts: 12
- Thank you received: 0
is Windows 2000 PPTP & L2TP secure
19 years 5 months ago #8749
by Lexion
is Windows 2000 PPTP & L2TP secure was created by Lexion
We are just installing a new VPN solution and was going to look at using the windows client. We have a lot of windows 2000 clients and windows XP clients but the majority are windows 200.
When the the engineer from the company we purchased the box off came to install it he recommended that we use an IPSec client rather than the one that comes as part of windows. When I asked why he said IPSec is more secure but I could not get much more than that from him.
So I went looking on Goggle for some info about L2TP and PPTP and all I can seem to find is LOTS of guides on how to configure it but nothing that would give me any clues as to why IPSec is more secure and what possible pitfalls we may have if we chose to use the windows client.
Do any of you know of some sites where I can make an informed decision on using windows or looking for an IPSec client.
When the the engineer from the company we purchased the box off came to install it he recommended that we use an IPSec client rather than the one that comes as part of windows. When I asked why he said IPSec is more secure but I could not get much more than that from him.
So I went looking on Goggle for some info about L2TP and PPTP and all I can seem to find is LOTS of guides on how to configure it but nothing that would give me any clues as to why IPSec is more secure and what possible pitfalls we may have if we chose to use the windows client.
Do any of you know of some sites where I can make an informed decision on using windows or looking for an IPSec client.
19 years 5 months ago #8750
by DaLight
Replied by DaLight on topic Re: is Windows 2000 PPTP & L2TP secure
I looked into this a while ago when I was looking to implement a means of logging into remote sites. I settled for SSH, but here a few points about L2TP, PPTP.
1. In Windows 2K/XP, L2TP actually runs over IPSEC.
2. L2TP is more secure than PPTP as encryption only starts in PPTP after PPP authentication is completed.
3. L2TP requires computer-based certificates in addition to password-based authentication. You could use pre-shared keys instead, but that has its associated maintenance and security issues.
4. L2TP can not be used behind NAT without the application of a patch to windows clients apart from XP SP2.
Like with all security issues, it basically boils down to your "paranoia index". Mine's quite high and I prefer to use certificate based SSH as opposed to VPNs, although a PPTP based VPN could be appropriate for many applications.
1. In Windows 2K/XP, L2TP actually runs over IPSEC.
2. L2TP is more secure than PPTP as encryption only starts in PPTP after PPP authentication is completed.
3. L2TP requires computer-based certificates in addition to password-based authentication. You could use pre-shared keys instead, but that has its associated maintenance and security issues.
4. L2TP can not be used behind NAT without the application of a patch to windows clients apart from XP SP2.
Like with all security issues, it basically boils down to your "paranoia index". Mine's quite high and I prefer to use certificate based SSH as opposed to VPNs, although a PPTP based VPN could be appropriate for many applications.
19 years 5 months ago #8758
by TheBishop
I can confirm that Dalight is almost as paranoid as I am.
As I understand it, PPTP and L2TP are protocols which support the negotiation and establishment of the VPN tunnel, with L2TP being the newer and more sohisticated of the two. Once the tunnel is up, you can use encryption over PPTP/L2TP as Dalight has described but the point is that it's optional encryption - you can have a "secure" tunnel with no encryption on it if you want. This sounds insane, but read on. IPSec by contrast is a traffic encryption system that also provides authentication of the endpoints (the sender is really who they claim to be), but doesn't really support the tunnel setup which is why you often find L2TP with IPSec over the top. The main advantages of IPSec over the native encryption regimes provided by PPTP and L2TP is the endpoint authentication which protects against "man in the middle" and replay attacks, and the fact that the encryption used is newer and so persumably stronger. The downside is that compared to the others it can be a dog to configure and get working, particularly if you try to use the native Microsoft implementations
As I understand it, PPTP and L2TP are protocols which support the negotiation and establishment of the VPN tunnel, with L2TP being the newer and more sohisticated of the two. Once the tunnel is up, you can use encryption over PPTP/L2TP as Dalight has described but the point is that it's optional encryption - you can have a "secure" tunnel with no encryption on it if you want. This sounds insane, but read on. IPSec by contrast is a traffic encryption system that also provides authentication of the endpoints (the sender is really who they claim to be), but doesn't really support the tunnel setup which is why you often find L2TP with IPSec over the top. The main advantages of IPSec over the native encryption regimes provided by PPTP and L2TP is the endpoint authentication which protects against "man in the middle" and replay attacks, and the fact that the encryption used is newer and so persumably stronger. The downside is that compared to the others it can be a dog to configure and get working, particularly if you try to use the native Microsoft implementations
19 years 4 months ago #8848
by Lexion
Replied by Lexion on topic Re: is Windows 2000 PPTP & L2TP secure
Thanks for the replys we are now looking at using L2TP over IPsec, the fun we are having getting it all to work.
19 years 4 months ago #9018
by denu
Hey Bishop,
I read your reply for L2TP/PPTP Tunneling. I have deep interest in this technologies. I would like to know whether you have got some eBook or some material explaining the entire working of these technologies?
If you can provide me with the same then, I would be obliged.
Thanks in advance,
denu
I read your reply for L2TP/PPTP Tunneling. I have deep interest in this technologies. I would like to know whether you have got some eBook or some material explaining the entire working of these technologies?
If you can provide me with the same then, I would be obliged.
Thanks in advance,
denu
19 years 4 months ago #9023
by TheBishop
Hi denu
As you've probably discovered it is difficult to find a single book or resource that properly covers these areas. I did a lot of searching on the internet and found many articles, none of which fully explained everything. But as you keep reading, like a jigsaw puzzle the pieces begin to fall in to place
Here are a few to get you started:
www.microsoft.com/seminar/shared/asp/vie...30TESSD/manifest.xml
www.microsoft.com/windows2000/technologi...s/vpn/redir-PPTP.asp
www.microsoft.com/windows2000/technologi...ableguytraversal.asp
www.microsoft.com/windows2000/technologi.../redir-tunneling.asp
www.microsoft.com/windows2000/technologi...edir-vpnsecurity.asp
www.microsoft.com/windows2000/technologi...vpn/redir-pptpwp.asp
www.microsoft.com/windows2000/techinfo/h...cess/vpnoverview.asp
As you've probably discovered it is difficult to find a single book or resource that properly covers these areas. I did a lot of searching on the internet and found many articles, none of which fully explained everything. But as you keep reading, like a jigsaw puzzle the pieces begin to fall in to place
Here are a few to get you started:
www.microsoft.com/seminar/shared/asp/vie...30TESSD/manifest.xml
www.microsoft.com/windows2000/technologi...s/vpn/redir-PPTP.asp
www.microsoft.com/windows2000/technologi...ableguytraversal.asp
www.microsoft.com/windows2000/technologi.../redir-tunneling.asp
www.microsoft.com/windows2000/technologi...edir-vpnsecurity.asp
www.microsoft.com/windows2000/technologi...vpn/redir-pptpwp.asp
www.microsoft.com/windows2000/techinfo/h...cess/vpnoverview.asp
Time to create page: 0.131 seconds