North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

RE: Security problem in PPPoE connection

  • From: Bora Akyol
  • Date: Mon Mar 13 14:19:12 2006

Any info on percentages of users that use routers vs Windows boxes? 


> 
> Microsoft has some suggestions for configuring PPPOE for MS-Windows.
> 
> http://www.microsoft.com/technet/prodtechnol/winxppro/maintain
> /pppoe.mspx
> 
> A problem is many of your customers won't follow the 
> directions, and may still be vulnerable to man-in-the-middle 
> attacks for the login if they don't disable PAP. Because 
> things will appear to work, i.e. Windows will use CHAP first 
> and fallback to PAP, your customers may not notice when an 
> attack does occur.
> 
> Although PPPOE is a layer 2 protocol, the user data may be 
> vulnerable to many of the same ethernet CAM table, denial of 
> service and sniffing weaknesses even if the login credentials 
> are kept secret with CHAP (or more advanced EAP options).  
> PPPOE and PPP tend to assume the access networks are 1) 
> "free" and 2) "secure."  This may be constrained using 
> point-to-point connections, but often require additional 
> configuration of multi-access networks.
> 
> The configuration details will vary by equipment vendor.  But 
> you should find some good information by doing a few web 
> searches for metro ethernet security, private vlan, broadcast 
> security.
> 
>