I'm just reading this:

http://www.sans.org/reading_room/whitepapers/vpns/1459.php

I few "interesting" things about this document. (E.g., there's a section 
called "what the heck is IPSec?" That's very whitty, but I'm not sure 
how seriously you should trust such a document...)

The basic premise seems to be that all VPN systems currently in 
existence actually suck, except OpenVPN which is completely perfect. A 
suspicious conclusion, obviously.

The document claims this is because "IPSec is too complicated to be 
secure", and that "TSL is mature and battle-tested". It also asserts 
that running software in user-space is inherantly better from a security 
perspective. (While it *is* better, it's hardly the end of the story...)

The document seems to indicate that installing IPSec VPN software on 
Windows is excrusiatingly difficult due to the built-in IPSec 
functionallity Windows already has. (...is does??) For example,

"On Windows, OpenVPN installs just like any other program. It comes 
bundled up as an executable and all you need to do it double click on 
the installer. Total installation of the Windows client takes about 10
minutes including configuration. For anyone who has tried to configure 
the builtin Windows IPSec client that should be impressive. For people 
who have tried to install and configure third party IPSec clients, that 
number should be shocking!"

Um... am I missing something? Installing Cisco's IPSec VPN involves... 
double-clicking the installer. And that's it. What's so hard about that?

Also amusing is the statement "Blowfish is a very strong algorithm with 
no known weaknesses. Its 128-bit key provides us with a large enough key 
space to make brute force key attacks impossible in polynomial time." 
Erm... like... WTF?

Still, I did learn one useful thing: Apparently the "route" command 
exists on Windoze.

-- 
http://blog.orphi.me.uk/
http://www.zazzle.com/MathematicalOrchid*

Post a reply to this message