RRAS with PPTP connections security

From: Evan Mann (emann@questinc.org)
Date: 09/17/02

From: Evan Mann <emann@questinc.org>
To: focus-ms@securityfocus.com
Date: Tue, 17 Sep 2002 15:13:48 -0400

I am looking into allowing more users access to our network from home.
Currently I do this using MS PPTP connections from Win2000 Pro machines to
my Watchguard Firebox II.

I am investigating switching from use the FBII as a point of authentication
to using a private side Win2000 RRAS server. I have setup a 1-to-1 NAT (as
watchguard calls it) to allow PPTP connections (tcp 47 and 1723) to my RRAS
server. The setup works fine and I can hit the RRAS server and authenticate
just like a charm.

What I don't know is what kind of security hazards I am opening myself up to
now that I've opened up tcp 47/tcp 1723 at the firebox level and let it
bypass the firewall and hit a private side server whichs runs RRAS and
allows PPTP connections.

Be aware that tcp 47/tcp 1723 are the ONLY ports that cna hit this server
frm the outside with the way I have the firewall configured.

Can you please enlighten me as to why I may NOT want to go with this
configuration, and how I can secure it further if I do decide to go with it.