Please validate my comparison...

...of L2TP to PPTP

- Both are based on PPP authentication
- L2TP encrypts the PPP auth process, PPTP doesn't (so dictionary attacks could be used)
- L2TP uses UDP 1701, PPTP uses TCP 1723
- L2TP is useable on ATM, Frame Relay, X.25 and TCP/IP networks, PPTP is only useable on TCP/IP
- L2TP provides user AND machine authentication, PPTP provides only user auth
- L2TP needs a certificate infrastructure to function, PPTP does not (but one will make it more secure)
- L2TP is generally more secure "out of the box," PPTP can be just as secure but requires much more configuration

Are all of these correct? I am going to be taking the test this week and just want to brush up on a few things. This is one of them. And other major differences you can think of are welcome

Thanks!

Chris

Find more posts tagged with

Save $250 on 2025 certification boot camps from Infosec!

Book now with code EOY2025

Button

Comments

eMeS

*removed

ThePistonDoctor

I realize the test won't go into this level of detail. I'm just the kind of person that like to understand things at a granular level so I have something to base my answers to high-level questions on. For example, if all of this is true I know that L2TP generally is an easier, more secure option and would be preferred over PPTP. However, PPTP could be less expensive and might be a viable solution where security is not the #1 concern.

Thanks for the insight though, that's comforting!

dynamik

ThePistonDoctor wrote:

- L2TP encrypts the PPP auth process, PPTP doesn't (so dictionary attacks could be used)

I think you mean replay attacks. Dictionary attacks just go through a list of common words. There's no reason (that I can think of) why unencrypted authentication would aid in this type of attack.

ThePistonDoctor wrote:

- L2TP uses UDP 1701, PPTP uses TCP 1723

PPTP also uses protol (not port) 47, GRE. Also, you need to be able to use nat-traversal with UDP to use L2TP/IPSec with computers on the other side of a NAT device.

ThePistonDoctor wrote:

- L2TP provides user AND machine authentication, PPTP provides only user auth

L2TP requires user and machine authentication.

ThePistonDoctor wrote:

- L2TP is generally more secure "out of the box," PPTP can be just as secure but requires much more configuration

The feeling I have is that L2TP is more secure overall, but you can secure PPTP enough to the point where it will be sufficient for most situations.

Don't forget about the inherit benefits of IPSec:

Syngress Security+, Page 117 wrote:

IPSec provides per-packet data origin, data integrity, replay protection, and data confidentiality. In contrast, PPTP only provides per-packet data confidentiality

Also, remember that while L2TP/IPSec seems like the best solution, complexity (difficulty to configure) and compatibility may make it undesirable in some circumstances.

Pick up the Syngress book if you don't have it. It definitely contains material that is above and beyond the exam objectives, but it seems like you're interested in that. You can get the PDF directly from them for $24: http://www.syngress.com/catalog/?pid=4350

ThePistonDoctor

Thanks for the detailed reply Dynamik.

Regarding your first comment, I was referring to the fact that PPP authentication exchanges could be intercepted in unencrypted form (even though they may be encrypted by PPP itself) and the exchange could be brute forced.

For example, let's say CHAP is used to do the authentication stage of the PPP portion of the communication. Sure, CHAP will encrypt the password with MD5, but the username is sent in plaintext. That authentication exchange could be intercepted when PPTP is used and the hash of the password brute forced. If L2TP/IPSec is used, the IPSec security association will occur before the PPP process, so the authentication exchange is encrypted and even if the PPP process used something like PAP (cleartext protocol) it would still be safe.

Is that incorrect?

dynamik

Sorry, I thought you meant using a dictionary attack to try to authenticate directly to the server. I see where you're going with the offline brute-force attack.

ThePistonDoctor

It's cool, as long as I had that right. Thanks for your input!