Topic: VPN PPTP Security

[Cyrus Bharda]

Howdy all,

I have just started to use PPTP to allow a VPN connection for some of my employees to access works network from home via a VPN connection.

Problem is that I do not know really much on how it works and how secure it is?

Now before I started toying with the SME using it for PPTP connections I asked a couple of companies to quote on how much it would cost to set this all up, the cheapest I got was AU$270 per month for 10 VPN connections!

My worry was that if it is so expensive to setup and maintain, why was it so easy for me to set it up myself using SME? Is PPTP not secure? Does PPTP with SME not allow certain types of connections/services/???

How does one set the encryption type for the connection, eg CHAP/etc?

Basically because of lack of documentation of the PPTP VPN security that is standard in SME, my boss is actually considering dropping SME and applying one of these freaking expensive solutions, "Well it's got to be good if it costs so much!" type attitudes.

Unfortunatly I do not think the same way, if we can do VPN without costing a cent, and it provides the same level of service, more or less, then why pay for it?

I just need some reasurance that using the SME is just as good, if not better than using another form of VPN solution, but find a lack of evidence to prove that!

I have read:

http://forums.contribs.org/index.php?topic=17739.msg69364#msg69364
http://www.microsoft.com/ntserver/support/faqs/VPNSec_FAQ.asp
http://forums.contribs.org/index.php?topic=17739.msg69364#msg69364

Does ticking that one little checkbox "Require data encryption" mean that it is a secure connection?

This quote from here worries me a bit:

http://www.nwfusion.com/news/tech/0531tech.html
"
When it comes to strong encryption and data integrity, IPSec is generally regarded as superior. The protocol combines key management with support for X.509 certificates, information integrity and content security. Furthermore, 168-bit Triple-DES encryption, the strongest form of encryption available in IPSec, is more secure than 128-bit RC4 encryption. IPSec also provides packet-by-packet encryption and authentication and prevents the "man-in-the-middle attack," in which data is intercepted by a third party, reconstructed and sent to the receiver.

PPTP, however, is vulnerable to such assaults, primarily because it authenticates sessions but not individual packets. Note, however, that mounting a successful man-in-the-middle attack against a PPTP connection would take considerable effort and know-how.
"

I am sorry if this is way off topic for this forum, but as a person who knows absoluty nothing about VPN PPTP/IPSec and how it works with SME and all the rest, this was the only place I thought to ask this as it directly relates to SME.

I have RTFM first this time, and all it states is that it is possible, and how to set it up (If you have Service Link).

So what are peoples opinion on this, and if anyone at Mitel care to comment that would be nice.

Thanks,

Cyrus Bharda

[Cyrus Bharda]

While I am on my high noob horse, might as well add a couple more questions to the fray!

Is LT2P better than PPTP, and can I enable it on SME 5.5? I did try setting my Windows 2000 machine to use it but it came up with an error, could not find certificate?

I have 2 SME 5.5's my home one is setup as the PDC and my work one is not.

Now when I make a VPN connection from work to home, I can ping machines via thier name from work, BUT when I make a VPN connection from home to work I cannt ping via machine name, but can via IP.

I _think_ this is because I am not logging onto the domain at work when I connect from home, as the SME is not the PDC at work, as that is the only difference between the two connection settings?

I have tried setting DNS sevrers in the VPN connection IP settings to point to works servers, still nothing, so how do I log on to the domain, do I need to port forward the VPN through to my PDC at work, which is a Windows 2000 Server?

Or is there some other way of being able to resolve ip's from names without being logged onto the domain, I am logged onto the SME and I can ping all the internal servers via IP but when I try to connect to them via \192.168.0.1\share I get prompted for a username/password which I enter, but still does not allow me to view it?

Thanks for your time,

Cyrus Bharda

[TrevorB]

Cyrus,

IPSec has long been recognised as superior to PPTP (except possibly by MS), but that doesn't mean that it isn't suitable for what you want. This is not an e-smith issue.

But, if you want to use IPSec rather than PPTP (which is installed & available 'out-of-the-box'), then you can use the freeswan addons to use IPSec. The contribs only tell you how to setup a sme-sme arrangement, but freeswan will support most IPSec clients (including W2k & XP).

There is a lot of info out there on freeswan, but here is one howto re: using a tool to help set it up a WIN road warrior to freeswan link http://vpn.ebootis.de/

Good luck (unfortunately, my work location has outgoing IPSec ports blocked, so have been unable to try this).

Trevor B

[Ray Mitchell]

Well I can probably answer this one:

Cyrus Bharda wrote:

> I am logged onto
> the SME and I can ping all the internal servers via IP but
> when I try to connect to them via \192.168.0.1\share I get
> prompted for a username/password which I enter, but still
> does not allow me to view it?

If the share is on the sme box, it sounds like you need to log on to your remote Windows PC using a valid username and password for the domain you are connecting to, that way Windows will correctly send your name and password on to the authenticating server and you will not be prompted for a password. Your access rights will be the same as those setup on the sme server for the local network.

It probably gets a bit messy if you have another Windows PDC server, which I think you do from previous posts.

Regs
Ray

[krusty]

Cyrus i know i guy that uses what you are talking about daily so if you give me a call i will put you on to him. He uses sme 5.5 at work and vpn's into it from home and did the same from our work the other day. Only caught the end of what he was doing so i dont know how to do it myself.

[Cyrus Bharda]

Thanks guys for your help and advice. From further research it looks like PPTP will provide a decent base level of security and that's all that is needed in this situation really so I dont think I'll even look at IPSec which by the looks of it provides a much more robust form of security. Also not having to configure or install any additional software on the SME or the clients end is a big plus.

Ray,

You're half way right, if I tick the "Include Windows logon domain" tickbox in "Options" tab of the properties of the VPN connection and enter in my domain then all is good, only thing is that you still have to provide username to access shares on the Windows PDC, which is fine, at least it works and now can map drives

Thanks again for everyones help and suggestions, muchly appreciated!!!

Cyrus Bharda

[THE DON]

Cyrus,
         I know that this is a bit left field but have you considered placing a firewall in front of your SME.  Something like smoothwall is good as it is a stateful packet inspection firewall.  The Smoothwall (free out of the box software) also lets you set up VPN's on it (based on FreeSwan).  This will guard your SME further.

By using a variety of Open Source products you can find the right solution for you instead of having to find one product that does it all, and therefore a single point of failure, and a lot of strain for one server.

You may want to check it out

http://www.smoothwall.org

It also has IDS (Intrusion Detection using Snort) and a whole host of other features.

I have implemented this solution on many occassions with huge success.  You will  also find that distributing the Firewall load onto something like smoothwall will also increase the uptime and performance of the SME Server.

Anyways i am a great fan of the SME and love it, i just wanted to give you soem more options, as well as my two cents.

DON

[Kelvin]

Cyrus,

Having been in a similar situation recently, here is a couple of thoughts.

1. How important is the data you are trying to protect that you are afraid of being hijacked while in the middle of a PPTP session ? If you aren't worried about being compromised while in a session, will a good password rotation scheme do to offer you the necessary unauthorised access protection at the server level ?

2. At one site I ended up putting in a hardware based firewall router (with IPSec) and loading IPSec client software on the remote laptops for access (client has a number of people in positions of authority who are sceptical of PCs staying up longer than a week !) .

Just my penny's worth.

Kelvin