Does anyone have practical experience running large numbers
of concurrent sessions through a PPTP server?
We've measured an x % performance penalty (relative to throughput
for a PPTP session versus a non-PPTP session)
Basically a performance penalty doesn't bother me... it the thought
of many cumulative flows dragging down a common point of convergence
(i.e. the server)
My gut feeling isn't that its not practical to expect PPTP to scale
well...
It might work great for a limited set of users but if many people
started
using it, it wouldn't perform as well as other hardware-based
products...
>----------
>From: Russ[SMTP:Russ .
Cooper @
rc .
on .
ca]
>Sent: Tuesday, October 07, 1997 7:17 AM
>To: firewalls @
greatcircle .
com
>Subject: RE: VPNs and PPTP
>
>> 1) weak authentication
>
>Security Dynamics say they have made PPTP work with SecurID.
>
>> 2) slower
>
>Than what?? Personally, with PPP compression, my speeds have been quite
>reasonable, dare I say fast?
>
>> 3) bitch to install and figure out routing
>
>Details, details, details, its not a bitch to install, although it may
>be a bitch to figure out the routing if you haven't read the
>manuals...;-]
>
>> 4) GRE doesn't pass through all firewalls
>
>Really?? Which ones??? There's no "proxy" for GRE, that's true, but as a
>generic protocol, which FW doesn't support passing GRE through?
>
>> 5) precious little debug information
>
>Interesting, you can get full PPP debug information through RAS. As for
>the PPTP control channel, well that may be an area lacking. Of course
>you could just sniff 1723 and see for yourself, but I suppose you think
>their should be some sort of logging?? With Routing and Remote Access
>Server (RRAS) you do get a whole lot more information.
>
> 6) uses existing NT RAS administrative model
>
>I don't see why this is a big issue, for customers who are upgrading
>modem connections to ISP-style connections, its logical.
>
> 7) no support for non-MS based servers and clients.
>
>and SecuRemote runs on...??? (no slam against CP, but it only runs on
>W95 and NT, right (or server to server as long as their both CP FWs)
>Same is true of more than a few VPN clients).
>
> 8) black box implementation
>
>and SecuRemote is a...??? V-One is a...??? Altavista is a...??? Lots of
>black boxes around these days...;-]
>
> 9) Extra hardware if you're not currently running NT server
> NT server isn't cheap.
>
>and SmartGate runs on...??? or Altavista Tunnel. An extra server for VPN
>is definitely not unique to PPTP, and few of them are cheap. Maybe the
>point should be that if you *are* running NT, its FREE.
>
> 10) uses existing user database
>
>most see this as an advantage, but obviously coupled with item #1 above
>could be a disadvantage. It certainly doesn't have to be your existing
>user database, you could easily create a separate domain with a single
>user for each person connecting in and then use Trusts to determine what
>they can get to. IOW, it doesn't have to use an existing user database.
>
> 11) no key mgt
>
>well, maybe that's because their are no keys...;-]...but really, isn't
>this one of the reasons for #1 above? SecurID is supposed to work, I've
>been told it works, but I haven't seen it work yet with PPTP.
>
> 12) transports IPX and native NETBEUI
>
>and this is a bad thing(tm)??? Better talk to those folks over at
>Network-1, their Firewall/Plus transports anything, and I mean
>anything...;-]
>
>Don't get me wrong, I'm not advocating the use of PPTP or saying its the
>best thing since sliced bread or anything. As always, I just don't like
>the idea that things MS get slammed due to lack of understanding. PPTP
>is proprietary, since it wasn't readily adopted, and will eventually be
>L2TP instead, so mass deployment may not be a good idea until you've
>talked to MS and found out whether the upgrade is going to be painless
>or not (if you do, let me know).
>
>If you've got NT 4.0 today and are evaluating VPNs, trialing PPTP makes
>a whole lot of sense in my mind.
>
>Cheers,
>Russ
>R.C. Consulting, Inc. - NT/Internet Security
>
Follow-Ups:
|
|
