Windows-Based VPNs Not "Industrial Strength"?

In a paper released last week, computer security specialists from Counterpane Security and L0pht Heavy Industries went over with a fine-tooth comb Microsoft Corp.'s built-in Windows virtual private network (VPN) support.

Their target: Microsoft Point-to-Point Tunneling Protocol (PPTP) version 2. Their conclusions? While better than version 1, MS PPTP still leaves VPNs open to attack.

PPTP is a generic protocol that allows Point-to-Point Protocol (PPP) connections to pass through firewalls. The resulting connection is treated as if it had originated behind the firewall, creating a VPN. MS PPTP is Microsoft's implementation of the PPTP, and is built into the Windows 95, 98, and NT operating systems. While VPN vendors are increasingly moving towards IPSec, PPTP remains important because of its wide distribution on Windows platforms.

Last year Counterpane and L0pht released a scathing critique of MS PPTP v1, claiming that the system left networks extremely vulnerable to a number of relatively simple attacks. They claimed that fundamental weaknesses in the system's authentication protocol would allow hackers to crack passwords or masquerade as servers.

"Kindergarten Cryptography"

At the time, Counterpane president and noted cryptographer Bruce Schneier referred to Microsoft's version 1 implementation as "kindergarten cryptography".

In their most recent paper Schneier and L0pht hacker "Mudge" point out substantial improvements in MS PPTP v2: "...Microsoft obviously took this opportunity to not only fix some of the major cryptographic weaknesses...but also to improve the quality of their code." They also claim, however, that the system retains weaknesses that leave it vulnerable. "I do not recommend using Microsoft PPTP, version 1 or version 2, for any applications for which security is a concern," concludes Schneier.

Perhaps most significantly, version 2 continues to rely upon password-based keys in its authentication and encryption mechanisms. Because most users tend to select very poor passwords, Schneier and Mudge assert that this leaves the system open to freely available dictionary-type password cracking software.

MS: More Of A Philosophical Difference

Microsoft chalks this critique up to a difference in philosophy. "Mr. Schneier's problem is with the use of passwords as 'shared secrets'," says Ron Cully, MS Senior Product Manager for Windows Networking. Cully asserts that risks can be minimized through conscientious administration: "We believe that if a company can implement a sound password policy, the 'shared secret' system can be quite effective."

Microsoft hopes to provide another option for addressing this issue by implementing the Extensible Authentication Protocol (EAP) in Windows 2000, permitting the use of computer-generated encryption keys encoded on smart cards.

Schneier and Mudge are also concerned that that backward-compatibility features allow a "version rollback" attack, in which an intruder tricks the system into using the less-secure MS PPTP v1 mechanisms. They point out the difficulties in disabling the backward-compatibility features, particularly in networks containing legacy boxes that may be unable to run the upgraded protocol.

Cully considers backward compatibility one of the product's strengths, giving customers flexibility in installing the upgrade. Moreover, he asserts that the risks to a well-managed network are minimal.

"A properly formatted server is not vulnerable to that attack," says Cully, adding, "Any security is only as strong as its enforcement."

While emphasizing that these criticisms apply to the Microsoft implementation rather than PPTP itself, Schneier and Mudge encourage the adoption of IPSec. In their most recent white paper, the authors state that "Our hope is that PPTP continues to see a decline in use as IPSec becomes more prevalent."

Microsoft, however, plans to include both PPTP and IPSec/LT2P in Windows 2000, and to support PPTP as a low-cost alternative to IPSec for the foreseeable future.

Categories: Articles, Text

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.