> 1) weak authentication
Security Dynamics say they have made PPTP work with SecurID.
> 2) slower
Than what?? Personally, with PPP compression, my speeds have been quite
reasonable, dare I say fast?
> 3) bitch to install and figure out routing
Details, details, details, its not a bitch to install, although it may
be a bitch to figure out the routing if you haven't read the
manuals...;-]
> 4) GRE doesn't pass through all firewalls
Really?? Which ones??? There's no "proxy" for GRE, that's true, but as a
generic protocol, which FW doesn't support passing GRE through?
> 5) precious little debug information
Interesting, you can get full PPP debug information through RAS. As for
the PPTP control channel, well that may be an area lacking. Of course
you could just sniff 1723 and see for yourself, but I suppose you think
their should be some sort of logging?? With Routing and Remote Access
Server (RRAS) you do get a whole lot more information.
6) uses existing NT RAS administrative model
I don't see why this is a big issue, for customers who are upgrading
modem connections to ISP-style connections, its logical.
7) no support for non-MS based servers and clients.
and SecuRemote runs on...??? (no slam against CP, but it only runs on
W95 and NT, right (or server to server as long as their both CP FWs)
Same is true of more than a few VPN clients).
8) black box implementation
and SecuRemote is a...??? V-One is a...??? Altavista is a...??? Lots of
black boxes around these days...;-]
9) Extra hardware if you're not currently running NT server
NT server isn't cheap.
and SmartGate runs on...??? or Altavista Tunnel. An extra server for VPN
is definitely not unique to PPTP, and few of them are cheap. Maybe the
point should be that if you *are* running NT, its FREE.
10) uses existing user database
most see this as an advantage, but obviously coupled with item #1 above
could be a disadvantage. It certainly doesn't have to be your existing
user database, you could easily create a separate domain with a single
user for each person connecting in and then use Trusts to determine what
they can get to. IOW, it doesn't have to use an existing user database.
11) no key mgt
well, maybe that's because their are no keys...;-]...but really, isn't
this one of the reasons for #1 above? SecurID is supposed to work, I've
been told it works, but I haven't seen it work yet with PPTP.
12) transports IPX and native NETBEUI
and this is a bad thing(tm)??? Better talk to those folks over at
Network-1, their Firewall/Plus transports anything, and I mean
anything...;-]
Don't get me wrong, I'm not advocating the use of PPTP or saying its the
best thing since sliced bread or anything. As always, I just don't like
the idea that things MS get slammed due to lack of understanding. PPTP
is proprietary, since it wasn't readily adopted, and will eventually be
L2TP instead, so mass deployment may not be a good idea until you've
talked to MS and found out whether the upgrade is going to be painless
or not (if you do, let me know).
If you've got NT 4.0 today and are evaluating VPNs, trialing PPTP makes
a whole lot of sense in my mind.
Cheers,
Russ
R.C. Consulting, Inc. - NT/Internet Security
|
|
