[PVE-User] pptp is not secure (war: Internet facing Proxmox)

Diaolin diaolin at diaolin.com
Mon Sep 15 14:36:23 CEST 2014


I use softether And it's perfect

Diaolin

---
ala fin l'ei sol parole tut sta smania maledeta
la se strenge entorn, menudola,
e le not l'è le orazion de na cigaia
'mbarlumada da la luna



Il giorno 14:32 15/set/2014, alle ore 14:32, Paul Gray <gray at cs.uni.edu> ha scritto:
>On 09/15/2014 06:38 AM, Lutz Markus Willek wrote:
>> Hey There,
>> 
>> PPTP has always been considered rather week security but a flaw in
>MSChapv2 indicates it is even less secure than we ever believed.
>MSChapv2 is the "most secure" authentication protocol used with PPTP!
>> So PPTP turns to the least secure VPN solution. 
>> In Fact PPTP is so insecure, it should be considered unencrypted.
>> Avoid this.
>
>Lutz++
>
>PPTP's encryption strength is limited by the randomness of the user's
>password, which is typically weak.
>
>From Schneider's analysis here:
>"However, the fundamental weakness of the authentication and encryption
>protocol is that it is only as secure as the password chosen by the
>user."
>  (https://www.schneier.com/paper-pptpv2.html)
>
>I've set up numerous VPNs: OpenSwan, StrongSwan, FreeSwan, OpenVPN,
>racoon/IPSec, PoPToP, ...
>
>But lately I've been using SoftEther (on Linux) for my VPN server
>infrastructure.  Very configurable and extremely interoperable
>with established VPN clients.
>
>SoftEther works with the default Android, Windows (7/8/Tablet) and
>Linux
>VPN client software without additional software installs.  So it's a
>good solution for "working for everyone" out of the box.  It also makes
>documenting the connection to your services a lot more manageable since
>you don't need to document 20+ vendor VPN client variations to get your
>users connected.
>
>For a SoftEther production usage case:  I presently have 60 VMs on one
>of my Proxmox clusters that are used for System Security classes that I
>teach.  These VMs are required to be "off the net," yet must be
>accessible to the students 24/7.  Students have been tapping in with
>their clients to the SoftEther VPN all term without problems.
>
>For various logistic reasons, my SoftEther VPN server is set up on a
>bare metal system alongside of the Proxmox cluster that is connected to
>the backend network where the student VMs reside.
>
>There's no reason the SoftEther server could not be run the head of a
>Proxmox install, and this would be what I'd recommend if your logistics
>limit you to deployment only on the Proxmox head end.
>
>-- 
>Paul Gray                                         -o)
>314 East Gym, Dept. of Computer Science           /\\
>University of Northern Iowa                      _\_V
> Message void if penguin violated ...  Don't mess with the penguin
> No one says, "Hey, I can't read that ASCII attachment ya sent me."
>_______________________________________________
>pve-user mailing list
>pve-user at pve.proxmox.com
>http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.proxmox.com/pipermail/pve-user/attachments/20140915/0440fc09/attachment.htm>


More information about the pve-user mailing list