RE: RRAS with PPTP connections security

From: mjans001 (m.jansen001@chello.nl)
Date: 09/18/02


From: "mjans001" <m.jansen001@chello.nl>
To: <emann@questinc.org>, <focus-ms@securityfocus.com>
Date: Wed, 18 Sep 2002 07:57:46 +0200


You may want to look into terminating the pptpt or maybe in the future
ipsec tunnels in the dmz. Where you have authenticated the user etc.
Then you can put restrictive access-lists on the user traffic, and you
have to authenticate locally or let the authentication traffic, say
radius pass trough.

Martijn
CCNP DP CISSP

-----Oorspronkelijk bericht-----
Van: Evan Mann [mailto:emann@questinc.org]
Verzonden: dinsdag 17 september 2002 21:14
Aan: focus-ms@securityfocus.com
Onderwerp: RRAS with PPTP connections security

I am looking into allowing more users access to our network from home.
Currently I do this using MS PPTP connections from Win2000 Pro machines
to my Watchguard Firebox II.

I am investigating switching from use the FBII as a point of
authentication to using a private side Win2000 RRAS server. I have
setup a 1-to-1 NAT (as watchguard calls it) to allow PPTP connections
(tcp 47 and 1723) to my RRAS server. The setup works fine and I can hit
the RRAS server and authenticate just like a charm.

What I don't know is what kind of security hazards I am opening myself
up to now that I've opened up tcp 47/tcp 1723 at the firebox level and
let it bypass the firewall and hit a private side server whichs runs
RRAS and allows PPTP connections.

Be aware that tcp 47/tcp 1723 are the ONLY ports that cna hit this
server frm the outside with the way I have the firewall configured.

Can you please enlighten me as to why I may NOT want to go with this
configuration, and how I can secure it further if I do decide to go with
it.






Relevant Pages

  • RE: RRAS with PPTP connections security
    ... Authenticate from there ... Onderwerp: RE: RRAS with PPTP connections security ... authentication to using a private side Win2000 RRAS server. ...
    (Focus-Microsoft)
  • Re: VPN not in domain authenticating with IAS
    ... Sarah ... If you want to authenticate to Active ... > If the RRAS server is not a member, ... >> Directory) and authenticated the client machine. ...
    (microsoft.public.win2000.ras_routing)
  • Re: Autenication through a wirewall
    ... RRAS server is IN A TRUSTING domain. ... Or it won't authenticate them in that domain. ... "Mark Higdon" wrote in message ...
    (microsoft.public.win2000.ras_routing)
  • RRAS with PPTP connections security
    ... to using a private side Win2000 RRAS server. ... watchguard calls it) to allow PPTP connections to my RRAS ... The setup works fine and I can hit the RRAS server and authenticate ...
    (Focus-Microsoft)
  • Re: Native Mode possible problems...help!
    ... > Let me clarify a bit - I hit the Send button too fast. ... >> Server will no longer share information with them, ... How can I verify which domain controller they authenticate ...
    (microsoft.public.windows.server.general)