Solved

Difference between PPTP and L2TP?

Posted on 2007-03-26
6
1,994 Views
Last Modified: 2010-08-05
Hi there,

We currently have a VPN solution that uses L2TP.  We are thinking of getting rid of this and simply having a Microsoft solution.  i.e setting up a server to act as a VPN Server and using PPTP instead.  What are the differences in these 2 protocols, and, indeed, what is the best way to implement this so that it is as secure as it can be?  Do I need to use RADIUS?  I have DMZ functionality on my firewall if that helps....
0
Comment
Question by:ddh76
  • 3
  • 2
6 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18792407
There are 3 primary protocols used for VPN's; PPTP, L2TP, and IPSec, and the level of security provided is in that order as well. L2TP can be set up using IPSec and is much more secure that PPTP, however more difficult to configure.
Why are you going to a lower level of security ?
You do not want to use the DMZ, as it will reduce security, and using RADIUS is an option with either, but not necessary.
As to the details of the protocols themselves:
PPTP:
http://en.wikipedia.org/wiki/Point-to-point_tunneling_protocol
http://tools.ietf.org/html/rfc2637
L2TP:
http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol
http://tools.ietf.org/html/rfc2661
0
 
LVL 18

Accepted Solution

by:
PowerIT earned 250 total points
ID: 18792894
ddh76, PPTP has a reputation of not being secure.
That stems from some mistakes in the MS and also CISCO implementations a while ago (ca 5 yrs). PPTP can be set up securely but if not set up correctly it can still expose you to vulnerabilities.
I understand why you want to switch: it's very easy to set up and the client software is preinstalled on almost any OS.
The client part is also a no brainer to configure; even the most computer-illiterate can be run through it with a 3 page document with screenshots.
So I did the switch about a year ago for one environment, with the following reasoning:
- This is a low security environment, where use of use is extremely important
- I did NOT use the MS or Cisco implementation as a server, but a lesser known product with no known vulnerabilities (one of the UTM's on the market) and configured using only the highest encryption level (MPPE-128 using TLS-EAP)
- This server does a lot and thorough monitoring, and the logs are regularely reviewed.
- We are willing to take a small risk.

FYI: to be exact L2TP is not a true VPN: it does not use encryption and strong authentication. It must be used in conjunction with IPSEC to provide encryption and create a true VPN. That's also what makes it more complex to implement.

Security-wise it's better to do a correctly implemented - but technically less secure - installation then implementing something technically more secure but implemented in a flawed way.

Hope this helps.

J.

0
 
LVL 1

Author Comment

by:ddh76
ID: 18793151
Yes, the ease at which you can setup a PPTP connection is far better than the "messy" MUVPN client software that Watchguard provide but I presume this is partly due to the complexity of the L2TP and IPSEC protocol combination?

So, in short, there is a risk but the risk isn't as great as not encrypting at all???
0
Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

 
LVL 77

Expert Comment

by:Rob Williams
ID: 18793368
Personally I would stick with the MUVPN solution. It's extremely secure, and if you control it's deployment, users cannot share passwords allowing others access to your domain, like they can easily do with the windows client. Also, they cannot self install the client in un-approved locations.
0
 
LVL 1

Author Comment

by:ddh76
ID: 18793615
Would like to agree with you but we have so many problems with the MUVPN solution as it stands.  Some users experience the disconnection of the client software so often that it is almost unusable.  I have spoken to Watchguard who seem quite reluctant to help. (other than offer me beta firmware which I am not prepared to go for!)

So, in summary, it "was" less secure years ago when originally deployed but now it is a lot better? (PPTP I am talking about here)


0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18793705
I would test the PPTP connection first. I have never heard of connection issues with WatchGuard and their client. Sounds more like a hardware or ISP issue than the tunnel type.

PPTP is not as secure as IPSec, but has come a long way. Make sure you use complex passwords and the best available authentication protocol. I don't believe if using a Windows server, as the VPN endpoint, you have the authentication options suggested by PowerIT. Best Windows has to offer is MS-CHAP v2. However, if your router/s support better PPTP authentication options you will be better off.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
This article explains in simple steps how to renew expiring Exchange Server Internal Transport Certificate.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now