Difference between PPTP and L2TP?
mr2nut
Member Posts: 269
Hi guys,
I was wondering what are the exact differences between the 2 types of VPN? I know PPTP offers encryption (as i've looked at the security tab of the VPN connection and seen the option to require encryption or the line is dropped). I have only ever used PPTP in real life as i've heard L2TP is a pain in the backside to set up and if the level of encryption isn't that much better for L2TP, what are the reasons for choosing it?
:
Also, I have been looking into the whole certificates thing and it confuses me a bit for the following reason..
How does a client know whether or not it needs to use certificates to access information? For example, if I installed CA on a domain controller, would EVERYTHING that is accessed from the Server require certificates on client side? Also, if you install CA on one Server, do certificates then apply to all member Servers and other DCs in the domain or is it just for that particular Server?
I'm sorry to ask so many questions on here but I find that the MS book doesn't actually explain the reasoning behind it all and the real-life practical questions/explanations. I find it better to ask the guys who can explain it properly and how it works in the real world, i.e. this forum
I was wondering what are the exact differences between the 2 types of VPN? I know PPTP offers encryption (as i've looked at the security tab of the VPN connection and seen the option to require encryption or the line is dropped). I have only ever used PPTP in real life as i've heard L2TP is a pain in the backside to set up and if the level of encryption isn't that much better for L2TP, what are the reasons for choosing it?
:Also, I have been looking into the whole certificates thing and it confuses me a bit for the following reason..
How does a client know whether or not it needs to use certificates to access information? For example, if I installed CA on a domain controller, would EVERYTHING that is accessed from the Server require certificates on client side? Also, if you install CA on one Server, do certificates then apply to all member Servers and other DCs in the domain or is it just for that particular Server?
I'm sorry to ask so many questions on here but I find that the MS book doesn't actually explain the reasoning behind it all and the real-life practical questions/explanations. I find it better to ask the guys who can explain it properly and how it works in the real world, i.e. this forum
Comments
Yo.
Well, it is better. That matters when security is a priority. L2TP requires certificates; PPTP does not. If you have an in-house CA and only your users, it's really not that bad to setup. As you get into more complicated scenarios (3rd party access, trusts with other forests, etc.) it gets more complicated. I use PPTP here.
It knows if a certificate is required. It needs one for EFS, signing/encrypting email, SSL in some circumstances, etc. Whatever you configure. Setting up a CA doesn't just automatically require certs on everything. If you want to use SSL with IIS, you have to go into IIS and configure it, etc. You can configure certs to be distributed through autoenrollment or you can obtain them manually through the the IIS site on the CA or the certificates console.
No problem, the MS Press book *sucks*. Get the Syngress book or you're really going to struggle with this exam.
http://technet.microsoft.com/en-us/library/bb742553.aspx
l2tp can use pre-shared keys instead of certificates.
So am I right in thinking that anything that uses SSL or https, requires certificates to be sent from either party, but with bog standard http, data has more basic encryption, or none at all?
I've heard quite a few stories about the PKI and CA stuff in this book, it confuses the hell out of me and although i'm no master of everything MS, i'm definately a good administrator who picks things up quite quickly.
Requiring certificates from both parties is referred to as mutual authentication, and it may or may not be required. You can configure IIS to use client certificate mappings if you want to require clients to use a certificate as well. Most often, only one certificate is required on the IIS server.
HTTP doesn't have any encryption; everything is sent in plain-text.
Here's a good PKI book that goes beyond the scope of this exam: http://www.amazon.com/Microsoft-Windows-Server-Certificate-Security/dp/0735620210/ref=pd_bbs_sr_1?ie=UTF8&s=books&qid=1218205254&sr=8-1
That's definitely on my "to read" list. MS's PKI is probably my weakest subject.
Seriously, pick up that Syngress book: http://www.amazon.com/Planning-Maintaining-Windows-Network-Infrastructure/dp/1931836930/ref=sr_1_1?ie=UTF8&s=books&qid=1218205363&sr=1-1 You can get it used for $20.
+1
I can attest to the MS Press Book coming up short on the 70-293 test. *sigh*
L2TP is more flexible as it can be used over ATM, frame relay, X.25. PPTP is only supported by Microsoft. I've only used PPTP personally though.
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/deploy/dgfb_emp_fqnc.mspx?mfr=true
Here are a couple of good articles:
http://technet.microsoft.com/en-us/library/cc780018.aspx
http://technet.microsoft.com/en-us/library/bb878088.aspx
One of the main things to keep in mind is that PPTP uses Microsoft Point to Point Encryption whereas L2TP uses IPSec. PPTP only starts to use encryption after authentication whereas L2TP starts the entire session with IPSEC and then starts the authentication process.
IPSEC can still do MS Chap authentication and things of that sort but that'll all be encapsulated inside IPSEC due to what I stated above. PPTP can still have the user authentication encrypted I believe but it's not the job of PPTP to use MPPE to ensure that happens. You can have PPTP use EAP-TLS with user/computer authentication using certificates and it'll be the job of EAP-TLS to do so. But as I said, with IPSEC, you ensure that ALL VPN traffic is inside your IPSEC encryption so it's basically being double encrypted.
Just to clarify, it seems that most people wouldn't go with standard CA as it's a load of manual for for the administrator. Enterprise CA is the way to go as it includes autoenrollment, i've got my head around that bit now.
So if I installed CA from the add/remove windows components, and choose enterprise CA, it then intergrates it into AD, but from then on does everything that CAN be encrypted such as files, e-mails etc. now automatically use CA to encrpt data between the Server and all computer objects that are in active directory, or is there still some manual work to do?
Good timing on the CA stuff. I wrote a blog entry last night that talks about OCS and its' requirements on certificates and what the differences are between Standard/Enterprise CA and installing them on Standard Edition vs Enterprise Edition of Windows. I would give it a read even if it's in regards to OCS but still gives a lot of fundamental information on CA versions.
As always, it depends. If you're creating a hierarchy, you'll likely use a stand-alone CA as the root and take it offline as soon as you're done using it. You'll almost always want to use an Enterprise CA as your issuing CA for it's ease of use and features.
No. You'll need to configure autoenrollment policies, etc. There is still some configuration with autoenrollment, but it will greatly reduce the amount of overall administration. You might want to check this out for more information: http://technet.microsoft.com/en-us/library/bb456981.aspx
Nice blog entry Royal. It's nice to see one I can actually understand
http://www.shudnow.net/2008/08/07/office-communicator-web-access-cwa-requires-server-2003-enterprise-edition-ca/
REALLY? that bad?
man, thats like the 3rd time I said that
:study: Current 2015 Goals: JNCIP-SEC JNCIS-ENT CCNA-Security
Yes, it's that bad.
I can attest to this as well. I am currently studying for the 293, and finished the MS press book. I started doing the Transcender exams, and kept getting hit with concepts I didn't know. I am know reading the Syngress book, and can see the difference. Syngress covers everything, and in depth as well.
I am hoping to take the 293 within a week or two.