is pptp via VPN secured ?

Hi
i suppose to mak VPN from denver to cairo but i'm wondering is the
authentication process encrypted using PPTP ?
my servers in 2 locations are behind a hardware router also i've 2 firewall
(ISA & Netgear in cairo)
can i go with PPTP safely ?
thanks for help

"Ahmad Sabry El Gendi" <AhmadSabry@abc> wrote in message
news:ua3LFy%(E-Mail Removed)...
> Hi
> i suppose to mak VPN from denver to cairo but i'm wondering is the
> authentication process encrypted using PPTP ?
> my servers in 2 locations are behind a hardware router also i've 2
> firewall (ISA & Netgear in cairo)
> can i go with PPTP safely ?
> thanks for help
>

It's not as secure as L2TP. But really you should be more worried about the
authentication method, make sure you are using minimum MS-CHAPv2, or
preferably EAP with 2 token authentication, such as smartcards!
Also, make sure you have the right encryption for your country, I'm not sure
what the government policy is in Egypt, but some countries ban encryption
above 40 or 56 bit (can't remember which).
Ben

Thanks Mr Ben
ok i'll use PPTP temporarly ... with the MS-Chapv2
it was working fine as a test.
** but i'm not aware of my country encryption levels may yuou forward me to
somewhere to have more info in this issue ?
** something else ... i read a little bit about L2TP
if i setup a a local CA in denver server & imported it in the egypt server
side will it woek fine or there's another reqiurements ?
thanx
A.Sabry
"Ben" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> "Ahmad Sabry El Gendi" <AhmadSabry@abc> wrote in message
> news:ua3LFy%(E-Mail Removed)...
>> Hi
>> i suppose to mak VPN from denver to cairo but i'm wondering is the
>> authentication process encrypted using PPTP ?
>> my servers in 2 locations are behind a hardware router also i've 2
>> firewall (ISA & Netgear in cairo)
>> can i go with PPTP safely ?
>> thanks for help
>>
>
> It's not as secure as L2TP. But really you should be more worried about
> the authentication method, make sure you are using minimum MS-CHAPv2, or
> preferably EAP with 2 token authentication, such as smartcards!
> Also, make sure you have the right encryption for your country, I'm not
> sure what the government policy is in Egypt, but some countries ban
> encryption above 40 or 56 bit (can't remember which).
> Ben
>

I've googled around quickly, and found this:
http://www.citrix.com/site/jumpPage.asp?pageID=20347

The following list of countries may have export or import restrictions for
products containing strong (128-bit or greater) encryption.
Armenia, Azerbaijan, Belarus, Burma, Congo (Democratic Republic of), Cuba,
Egypt, France, Hong Kong, Iran, Israel, Kazakhstan, Liberia, Libya, Moldova,
Nagorno-Karabakh, North Korea, Pakistan, Philippines, Poland, Russia,
Rwanda, Saudi Arabia, Sierra Leone, Somalia, Sudan, Syria, Ukraine, Vietnam,
Yemen.

But you may want to Google a bit more, I used the keywords 'restriction
encryption import countries'

On the issue of CA's it depends how your infrastructure is setup, and what
sort of CA you run, and what firewall/vpn you have. We use ISA 2004, and
have an enterprise CA, which issued the machine certificates for the VPN,
I'm not sure if this is possible using your Netgear firewall/vpn solution.
If you were running 2 ISA VPN solutions, then you'd just issue 2
certificates for the machines, (don't think it even has to be an enterprise
CA, could be a standalone CA), then import those certificates into the ISA
boxes, and the VPN should work, as the 2 certificates both have the same
trusted root.

Ben


"Ahmad Sabry El Gendi" <AhmadSabry@abc> wrote in message
news:(E-Mail Removed)...
> Thanks Mr Ben
> ok i'll use PPTP temporarly ... with the MS-Chapv2
> it was working fine as a test.
> ** but i'm not aware of my country encryption levels may yuou forward me
> to somewhere to have more info in this issue ?
> ** something else ... i read a little bit about L2TP
> if i setup a a local CA in denver server & imported it in the egypt server
> side will it woek fine or there's another reqiurements ?
> thanx
> A.Sabry
> "Ben" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
>> "Ahmad Sabry El Gendi" <AhmadSabry@abc> wrote in message
>> news:ua3LFy%(E-Mail Removed)...
>>> Hi
>>> i suppose to mak VPN from denver to cairo but i'm wondering is the
>>> authentication process encrypted using PPTP ?
>>> my servers in 2 locations are behind a hardware router also i've 2
>>> firewall (ISA & Netgear in cairo)
>>> can i go with PPTP safely ?
>>> thanks for help
>>>
>>
>> It's not as secure as L2TP. But really you should be more worried about
>> the authentication method, make sure you are using minimum MS-CHAPv2, or
>> preferably EAP with 2 token authentication, such as smartcards!
>> Also, make sure you have the right encryption for your country, I'm not
>> sure what the government policy is in Egypt, but some countries ban
>> encryption above 40 or 56 bit (can't remember which).
>> Ben
>>
>
>

In news:(E-Mail Removed),
Ahmad Sabry El Gendi <AhmadSabry@abc> stated, which I commented on below:
> Thanks Mr Ben
> ok i'll use PPTP temporarly ... with the MS-Chapv2
> it was working fine as a test.
> ** but i'm not aware of my country encryption levels may yuou forward
> me to somewhere to have more info in this issue ?
> ** something else ... i read a little bit about L2TP
> if i setup a a local CA in denver server & imported it in the egypt
> server side will it woek fine or there's another reqiurements ?
> thanx
> A.Sabry

What are you using for VPN? Windows?

What type of router do you have? If using a Cisco PIX, Watchguard or
Netscreen, you can configure it for VPN client connectivity, install the
client software on your laptop to benefit from a stronger L2TP VPN.



--
Ace
Innovative IT Concepts, Inc (IITCI)
Willow Grove, PA

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft MVP - Directory Services
Microsoft Certified Trainer

Having difficulty reading or finding responses to your post?
Instead of the website you're using, I suggest to use OEx (Outlook Express
or any other newsreader), and configure a news account, pointing to
news.microsoft.com. This is a direct link to the Microsoft Public
Newsgroups. It is FREE and requires NO ISP's Usenet account. OEx allows you
to easily find, track threads, cross-post, sort by date, poster's name,
watched threads or subject.
It's easy:

How to Configure OEx for Internet News
http://support.microsoft.com/?id=171164

Infinite Diversities in Infinite Combinations
Assimilation Imminent. Resistance is Futile
"Very funny Scotty. Now, beam down my clothes."

The only constant in life is change...