RE: RRAS with PPTP connections security

From: Chris Odell (chris@odellnet.com)
Date: 09/18/02


From: "Chris Odell" <chris@odellnet.com>
To: "'Evan Mann'" <emann@questinc.org>, <focus-ms@securityfocus.com>
Date: Tue, 17 Sep 2002 18:20:01 -0700


  In my small experience, I have always added a second adapter in a DMZ
zone with pptp filtering checked in the adapter properties.

  Just my 2 cents....

-----Original Message-----
From: Evan Mann [mailto:emann@questinc.org]
Sent: Tuesday, September 17, 2002 12:14 PM
To: focus-ms@securityfocus.com
Subject: RRAS with PPTP connections security

I am looking into allowing more users access to our network from home.
Currently I do this using MS PPTP connections from Win2000 Pro machines
to
my Watchguard Firebox II.

I am investigating switching from use the FBII as a point of
authentication
to using a private side Win2000 RRAS server. I have setup a 1-to-1 NAT
(as
watchguard calls it) to allow PPTP connections (tcp 47 and 1723) to my
RRAS
server. The setup works fine and I can hit the RRAS server and
authenticate
just like a charm.

What I don't know is what kind of security hazards I am opening myself
up to
now that I've opened up tcp 47/tcp 1723 at the firebox level and let it
bypass the firewall and hit a private side server whichs runs RRAS and
allows PPTP connections.

Be aware that tcp 47/tcp 1723 are the ONLY ports that cna hit this
server
frm the outside with the way I have the firewall configured.

Can you please enlighten me as to why I may NOT want to go with this
configuration, and how I can secure it further if I do decide to go with
it.