 
 
|
|
Microsoft offers its Virtual Private Network solution for free. According to Microsoft, PPTP (Point to Point Tunneling Protocol) is secure, efficient and supports various protocols. Its partnership with Ascend might provide this implementation with a good ISP coverage. Finally, its recent agreement with Cisco to merge L2F (Layer 2 Forwarding) and PPTP into L2TP seems also promising. However, this paper demonstrates that the return on investment with PPTP is much lower than with the AltaVista Tunnel.
The explanation may simply reside in the initial requirements of this technology. Ascend initially advanced the concept and created the PPTP architecture. Ascend specifically targeted ISPs for boosting their competitiveness against other ISPs or on-line services. The promise was to allow ISPs to open new opportunities by hosting security services with PPTP. With a booming outsourcing market, ISPs envisioned a new WAN market with more services and security options. Router vendors then participated heavily in this plan.
On the contrary, requirements for prior VPN products such as AltaVista's were aimed at enabling corporations to minimize their costs in maintaining control over their security policies and implementations. As a result, requirements such as VPN independence allowed customers to not only cut their costs but also to protect their investments with a proven technology.
According to PC Week 3/4/97, "L2TP is scheduled to start appearing in Cisco and Microsoft products by year's end." Today, PPTP is immature and it will stay so until this L2TP migration. However, this migration hurdle will not even be compliant to IPSEC fully endorsed by the IETF.
AltaVista Tunnel strategic direction is IPSEC in combination with its current proprietary protocols until IPSEC provides a complete superset of what the AltaVista Tunnel is capable of doing today.
Independence
|
Features |
AltaVista Tunnel |
PPTP |
Benefits & Comments |
|
Protocol Independence |
Yes and No |
Yes |
PPTP main benefit is to support several protocols (e.g IPX or AppleTalk) with only one encapsulation level. An IP layer implementation selected by most VPN vendors requires a double encapsulation (e.g IPX first into IP packet then encrypted and encapsulated into another IP datagram.) |
|
Server Independence |
Yes |
No |
AltaVista Tunnel supports NT 3.51 and 4.0 and several flavours of UNIX.
PPTP only runs on NT 4.0 with latest service pack. |
|
Desktop and ISP Independence |
Yes |
No |
PPTP is either dependent on the ISP or on the desktop. Non NT4.0 based clients must first establish a PPP link to the ISP. If the ISP is PPTP compliant with the right hardware, it will then extend this weak connection to the Intranet with a secure PPTP link.
To achieve ISP independence, MIS managers must configure their laptop with NT4.0 and its latest service pack. |
|
Firewall Independence |
Yes |
Yes and No. |
AltaVista Tunnel has been qualified with leading firewall solutions. Microsoft avoids this problem by recommending its NT 4.0 PPTP server be un-protected by the firewall. Besides other security issues that such configuration represents, the encryption link is not an end-to-end secure connection. |
Conclusion:
PPTP is free but creates dependencies that can be very costly over time such as:
- Updating all desktops to NT4.0, training users and installing additional memory
- forcing users to adopt specific PPTP compliant ISPs (if available in their areas)
- adopting costly third party solutions (e.g. PPTP Windows 95 or others) for ISP independence
AltaVista Tunnel is fully independent.
Security
|
Features |
AltaVista Tunnel |
PPTP |
Benefits & Comments |
|
Authentication |
Mutual authentication with RSA 512-bit public key |
One-way authentication using NT domain authentication and MSCHAP |
AltaVista Tunnel uses mutual authentication which is the preferred method of authentication as it allows both ends of the tunnel to trust each other. PPTP only allows one-way trust from sender to receiver which creates risk.
|
|
Data Encryption |
RSA’s RC4 128-bit and 56-bit encryption |
RSA’s RC4 40 bit encryption |
40 bit is a very weak encryption mechanism which is not appropriate for any serious business implementation. Microsoft said that it will eventually increase its encryption level in a next future.
AltaVista offers 128-bit US/Canada and 56-bit encryption internationally. 56-bit encryption is ~65,000 times more stronger than 40-bit. |
|
Data Integrity |
MD5 Message Digest |
MD5 Message Digest |
Same |
|
Automatic Encryption Re-key |
Yes - Transparent key exchanged every 30 minutes |
No |
AltaVista Tunnel transparently exchanges a new encryption key every 30 minutes which drastically enhances security |
|
Proven technology |
Available since December 95 |
Available since Dec 96 |
PPTP is a proposed RFC which implementation has not been exposed to the real world or to any significant attacks.
On the contrary, the AltaVista Tunnel product has been released since December 95 and can be considered a proven and very reliable technology |
|
Complete end-to-end encryption |
Yes |
No |
With non PPTP compliant desktops, the Microsoft solution delegates security responsibility to the ISP.
In addition, leaving the PPTP server on the red net causes serious security issues: NT servers are indeed prone to denial-of-service attacks or crashes such as spoofed DNS replies. If configured with one network interface, remote connections are no longer secure. If configured with two interfaces, the firewall must then handle 2 un-trusted Internet interfaces which most firewalls don't support. |
Conclusion:
PPTP is free but it is not very secure: no strong authentication, no dynamic rekeying and a potentially very complex or weak firewall configuration. When available, its stronger encryption will not be applicable abroad preventing companies from deploying worldwide Intranet access. With one and a half year of experience and exposure, AltaVista Tunnel clearly demonstrates its security, maturity and robustness.
Management
|
Features |
AltaVista Tunnel |
PPTP |
Benefits & Comments |
|
Key Management |
Yes |
No |
With AltaVista Tunnel, Keys can be easily managed and maintained with a WEB server regardless of the Intranet configuration (with or without NT domains.)
AltaVista plans on delivering X.509 in the next release, allowing flexible and distributed key management. |
|
Managing Growth |
512 concurrent connections, 2,000 in Q3CY97. |
200 |
AltaVista Tunnel supports 200 concurrent connections on Windows NT and more than 500 on UNIX.
PPTP does support high-end scalability required in large configurations |
|
Client Management |
Troublefree |
Troublesome |
"If the PPTP client, for example a laptop, has a network adapter installed and normally participates on the remote network you are dialing, you may need to add a route to the route table to make sure that packets destined for the remote PPTP server are routed through the correct interface." MicroSoft PPTP and Interoperability with Other Local Machine Services 3/28/97. |
Back to analysis index
|
