RRAS with PPTP connections security

From: Evan Mann (emann@questinc.org)
Date: 09/17/02


From: Evan Mann <emann@questinc.org>
To: focus-ms@securityfocus.com
Date: Tue, 17 Sep 2002 15:13:48 -0400

I am looking into allowing more users access to our network from home.
Currently I do this using MS PPTP connections from Win2000 Pro machines to
my Watchguard Firebox II.

I am investigating switching from use the FBII as a point of authentication
to using a private side Win2000 RRAS server. I have setup a 1-to-1 NAT (as
watchguard calls it) to allow PPTP connections (tcp 47 and 1723) to my RRAS
server. The setup works fine and I can hit the RRAS server and authenticate
just like a charm.

What I don't know is what kind of security hazards I am opening myself up to
now that I've opened up tcp 47/tcp 1723 at the firebox level and let it
bypass the firewall and hit a private side server whichs runs RRAS and
allows PPTP connections.

Be aware that tcp 47/tcp 1723 are the ONLY ports that cna hit this server
frm the outside with the way I have the firewall configured.

Can you please enlighten me as to why I may NOT want to go with this
configuration, and how I can secure it further if I do decide to go with it.



Relevant Pages

  • RE: RRAS with PPTP connections security
    ... Currently I do this using MS PPTP connections from Win2000 Pro machines ... authentication to using a private side Win2000 RRAS server. ... The setup works fine and I can hit ... the RRAS server and authenticate just like a charm. ...
    (Focus-Microsoft)
  • Re: Change IP Pool in RRAS
    ... RRAS server. ... It has to go on the gateway router of the 192.168.1.0 network. ... Routing will then automatically work if the RRAS server is the ... server will then forward the traffic to the client over the VPN link. ...
    (microsoft.public.win2000.ras_routing)
  • Re: NAT probably blocking netlogon traffic
    ... Tools like that won't work across NAT. ... the DNS server in each domain would be set up to ... You will need IP routing enabled on the RRAS server. ...
    (microsoft.public.win2000.ras_routing)
  • RE: RRAS with PPTP connections security
    ... The authentication check should be done at the perimeter ... > Currently I do this using MS PPTP connections from Win2000 ... > to using a private side Win2000 RRAS server. ...
    (Focus-Microsoft)
  • Re: Change IP Pool in RRAS
    ... LAN machines without routing. ... Routing will then automatically work if the RRAS server is the default ... It must go the the RRAS server first. ... will then forward the traffic to the client over the VPN link. ...
    (microsoft.public.win2000.ras_routing)