>i'm sorry to be so ignorant, but could someone please clear this up
for
>me?;
>
>
>IS IT POSSIBLE, using Microsofts PPTP (windows client, NT server) to
>establish a FULLY secured
>connection through FW-1 3.0? (non VPN)
>
>What i want is SECURED authentication AND secured communication:
>authenticity & confidentiality.
>thanks,
>james @
imx-exchange .
com .
Then PPTP is not for you. As mentioned in an earlier post, PPTP is
based on PPP which uses PAP and CHAP for authentication. While this is
fine for a dial-up line, it presents some interesting problems when
transmitted over an open network:
PAP - Sends passwords as clear text. Provides no authentication during
communication which means that sources are not verified. If I transmit
data from a third station pretending to be either one of the two
systems, the session has no checks to reject this information.
CHAP - Allows for encrypted passwords and performs authentication of
each system at random time intervals to insure they are who they say
they are. Systems are suppose to try CHAP first but it is not that
difficult to make the systems drop back to PAP.
if I can place myself between your network and the user's ISP, it's a
straight forward process to capture their logon name and password. I
can now use this information to create a PPTP connection myself
(assuming you are not filtering sources on your firewall) or access
your network via RAS dial-up if it is configured and I can figure out
the phone number.
Despite the authentication method used, NT uses a 40 bit key for
encryption. The problem is that the key is transmitted as part of the
session! There is no facility in place to exchange keys out-of-band or
to use a public/private key configuration. In short, if I capture the
entire user's session I have all the info I need to crack the
transmission.
In you need "SECURED", use your firewall's VPN feature along with
Secure ID verification.
Hope this clears things up for you.
Cheers,
Chris
|
|
