Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

Difference between PPTP and L2TP?

Posted on 2007-03-26
6
Medium Priority
?
2,021 Views
Last Modified: 2010-08-05
Hi there,

We currently have a VPN solution that uses L2TP.  We are thinking of getting rid of this and simply having a Microsoft solution.  i.e setting up a server to act as a VPN Server and using PPTP instead.  What are the differences in these 2 protocols, and, indeed, what is the best way to implement this so that it is as secure as it can be?  Do I need to use RADIUS?  I have DMZ functionality on my firewall if that helps....
0
Comment
Question by:ddh76
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
6 Comments
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18792407
There are 3 primary protocols used for VPN's; PPTP, L2TP, and IPSec, and the level of security provided is in that order as well. L2TP can be set up using IPSec and is much more secure that PPTP, however more difficult to configure.
Why are you going to a lower level of security ?
You do not want to use the DMZ, as it will reduce security, and using RADIUS is an option with either, but not necessary.
As to the details of the protocols themselves:
PPTP:
http://en.wikipedia.org/wiki/Point-to-point_tunneling_protocol
http://tools.ietf.org/html/rfc2637
L2TP:
http://en.wikipedia.org/wiki/Layer_2_Tunneling_Protocol
http://tools.ietf.org/html/rfc2661
0
 
LVL 18

Accepted Solution

by:
PowerIT earned 1000 total points
ID: 18792894
ddh76, PPTP has a reputation of not being secure.
That stems from some mistakes in the MS and also CISCO implementations a while ago (ca 5 yrs). PPTP can be set up securely but if not set up correctly it can still expose you to vulnerabilities.
I understand why you want to switch: it's very easy to set up and the client software is preinstalled on almost any OS.
The client part is also a no brainer to configure; even the most computer-illiterate can be run through it with a 3 page document with screenshots.
So I did the switch about a year ago for one environment, with the following reasoning:
- This is a low security environment, where use of use is extremely important
- I did NOT use the MS or Cisco implementation as a server, but a lesser known product with no known vulnerabilities (one of the UTM's on the market) and configured using only the highest encryption level (MPPE-128 using TLS-EAP)
- This server does a lot and thorough monitoring, and the logs are regularely reviewed.
- We are willing to take a small risk.

FYI: to be exact L2TP is not a true VPN: it does not use encryption and strong authentication. It must be used in conjunction with IPSEC to provide encryption and create a true VPN. That's also what makes it more complex to implement.

Security-wise it's better to do a correctly implemented - but technically less secure - installation then implementing something technically more secure but implemented in a flawed way.

Hope this helps.

J.

0
 
LVL 1

Author Comment

by:ddh76
ID: 18793151
Yes, the ease at which you can setup a PPTP connection is far better than the "messy" MUVPN client software that Watchguard provide but I presume this is partly due to the complexity of the L2TP and IPSEC protocol combination?

So, in short, there is a risk but the risk isn't as great as not encrypting at all???
0
WEBINAR - Latest Cyber Tips for Defense

Join the WatchGuard Threat Research Team on October 26th for an informative webinar featuring expert tips and tricks for defending your organization from today's latest cyber threats. Don't leave yourself vulnerable to attack. Register for the webinar today!

 
LVL 77

Expert Comment

by:Rob Williams
ID: 18793368
Personally I would stick with the MUVPN solution. It's extremely secure, and if you control it's deployment, users cannot share passwords allowing others access to your domain, like they can easily do with the windows client. Also, they cannot self install the client in un-approved locations.
0
 
LVL 1

Author Comment

by:ddh76
ID: 18793615
Would like to agree with you but we have so many problems with the MUVPN solution as it stands.  Some users experience the disconnection of the client software so often that it is almost unusable.  I have spoken to Watchguard who seem quite reluctant to help. (other than offer me beta firmware which I am not prepared to go for!)

So, in summary, it "was" less secure years ago when originally deployed but now it is a lot better? (PPTP I am talking about here)


0
 
LVL 77

Expert Comment

by:Rob Williams
ID: 18793705
I would test the PPTP connection first. I have never heard of connection issues with WatchGuard and their client. Sounds more like a hardware or ISP issue than the tunnel type.

PPTP is not as secure as IPSec, but has come a long way. Make sure you use complex passwords and the best available authentication protocol. I don't believe if using a Windows server, as the VPN endpoint, you have the authentication options suggested by PowerIT. Best Windows has to offer is MS-CHAP v2. However, if your router/s support better PPTP authentication options you will be better off.
0

Featured Post

Ask an Anonymous Question!

Don't feel intimidated by what you don't know. Ask your question anonymously. It's easy! Learn more and upgrade.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you’re involved with your company’s wide area network (WAN), you’ve probably heard about SD-WANs. They’re the “boy wonder” of networking, ostensibly allowing companies to replace expensive MPLS lines with low-cost Internet access. But, are they …
An overview of cyber security, cyber crime, and personal protection against hackers. Includes a brief summary of the Equifax breach and why everyone should be aware of it. Other subjects include: how cyber security has failed to advance with technol…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question