We bought a new Firewall a couple months back, a Netgear UTM9S, and one of the features we enabled is the PPTP VPN to enable access to SQL, Web and File servers for remote users. But now, after reading this Ars Technica article on MSCHAP V2 being broken I am wondering should we worry about this and turn off PPTP and enable one of the other VPN options? SSL and IPSEC options are available, and reading the Manual will be required to move to them, plus configuring each users machine, so should we spend time on this? or is this just FUD?
SnapOverflow
Well, it's not FUD: MSCHAPv2 has a legitimate weakness in its design, and a tool has been released that will allow an attacker to exploit that weakness. The actual article published by the researchers has some more details with their recommendations.
Your own company probably won't be immediately targeted by teh hax0rz: there has to be a network capture of the traffic that needs to be submitted for analysis, so one of your remote users would have be using your VPN where an attacker is looking for MSCHAPv2 traffic to exploit. Since a number of steps are involved, you probably aren't looking at someone interested in vandalism (i.e., someone who wants to deface the Facebook pages of everyone in the coffee shop). The sort of attacker going after this VPN traffic will be rarer, but, if encountered, much more serious.
Regarding switching to IPSEC, note the warning in the article about IPSEC-PSK: you should go with certificates or with very complex pre-shared keys, as IPSEC-PSK is subject to a dictionary attack.