momius - Fotolia


The consequences of removing PPTP support from iOS 10

Apple's removal of PPTP support on iOS 10 and Mac OS Sierra leaves companies scrambling to implement other VPN protocols. Expert Michael Cobb explains enterprise options.

The Point-to-Point Tunneling Protocol (PPTP) is used to implement virtual private networks, which create a secure...

connection over an insecure network. It was developed by a consortium formed by Microsoft in 1999, but has never been proposed nor ratified as a standard by the Internet Engineering Task Force. It uses a control channel over TCP and a modified version of Generic Routing Encapsulation (GRE) to encapsulate point-to-point protocol (PPP) frames as tunneled data.

PPTP does not contain encryption or authentication features, but relies on PPP packets being tunneled to implement security functionality. PPTP support within VPN technologies is common, but the protocol has been known to be insecure for some time, with attacks being able to sniff passwords across the network, break the encryption scheme and read confidential data. Yet, like many outdated technologies and protocols, it is still widely used because it is relatively easy to set up and use compared to more secure PPTP alternatives.

The preview of the iOS 10 operating system revealed that Apple has removed PPTP support in its mobile OS, as well as Mac OS Sierra. This has led to problems for many Apple users, as VPN services or setups that still use PPTP will no longer work with devices running the new OS. Microsoft has also warned users that iOS 10 will remove any custom VPN profiles in Intune that use the PPTP.

Apple abruptly pulled support for its QuickTime for Windows software in 2016, and Apple users are again asking why Apple didn't communicate its plans to end PPTP support ahead of time.

The Apple Support portal posted a notice in July 2016 advising administrators that both iOS 10 and Mac OS Sierra would be dropping PPTP support. Apple suggested in the notice trying other, more secure VPN protocols, like L2TP/IPsec, IKEv2/IPsec, Cisco IPsec or SSL VPN clients, available from the App Store. Even if this advice had been spotted by overstretched system administrators, most organizations need more than four months to migrate to a new technology without disrupting key workflows and processes, particularly when there's no reasonable workaround available. While IPsec is ideally suited for implementing VPNs, it is notoriously time-consuming to set up.

Apple can't be faulted for dropping a protocol that potentially puts users' data at risk, and enterprises should have already replaced PPTP support in favor of newer, more secure connection methods. However, it is not Apple's role to dictate how enterprises and users operate.

There are valid, nonsecurity-related reasons why enterprises and users may want to use a PPTP tunnel, particularly when abroad, such as accessing geo-blocked websites and websites locked with an IP address block, or getting the correct search results for a specific country, none of which need VPN-based security. PPTP is ideal in these situations, and works with very little overhead, whereas a VPN wastes performance and bandwidth, as well as adds an unnecessary layer of security and complexity.

Enterprises needing to upgrade their VPN technologies on a budget should look at OpenVPN Technologies' open source OpenVPN software, which supports various operating systems, including Apple's; some routers even have direct support for it.

Another option is to reassess why VPNs are being used within the enterprise. Remote access communications to desktops, internal systems and resources should be protected by HTTPS, with the applications providing secure access instead of relying on the possible presence of a secured VPN.

These changes take time, though, and Apple should certainly have given enterprises more warning of their intentions, in addition to making the announcement more prominent. Microsoft's experience with the end-of-life of Windows XP shows that, even with a few years of high-profile warnings, many enterprises still fail to prepare themselves.

This incident also highlights the importance of thoroughly testing beta releases of essential software to see if changes adversely affect key activities. More needs to be done to move enterprises and users away from insecure technologies, but suddenly banning a technology can temporarily create further security problems and disrupt vital operations. Maybe there is an undisclosed reason why Apple has suddenly taken this step; if not, then their users are rightly aggrieved.

Next Steps

Find out if using a GRE tunnel or an IPsec tunnel is more secure

Learn about the benefits of using SSL VPN products in your enterprise

This was last published in January 2017

Dig Deeper on Network security