RE: RRAS with PPTP connections security

From: Chris Odell (
Date: 09/18/02

From: "Chris Odell" <>
To: "'Evan Mann'" <>, <>
Date: Tue, 17 Sep 2002 18:20:01 -0700

  In my small experience, I have always added a second adapter in a DMZ
zone with pptp filtering checked in the adapter properties.

  Just my 2 cents....

-----Original Message-----
From: Evan Mann []
Sent: Tuesday, September 17, 2002 12:14 PM
Subject: RRAS with PPTP connections security

I am looking into allowing more users access to our network from home.
Currently I do this using MS PPTP connections from Win2000 Pro machines
my Watchguard Firebox II.

I am investigating switching from use the FBII as a point of
to using a private side Win2000 RRAS server. I have setup a 1-to-1 NAT
watchguard calls it) to allow PPTP connections (tcp 47 and 1723) to my
server. The setup works fine and I can hit the RRAS server and
just like a charm.

What I don't know is what kind of security hazards I am opening myself
up to
now that I've opened up tcp 47/tcp 1723 at the firebox level and let it
bypass the firewall and hit a private side server whichs runs RRAS and
allows PPTP connections.

Be aware that tcp 47/tcp 1723 are the ONLY ports that cna hit this
frm the outside with the way I have the firewall configured.

Can you please enlighten me as to why I may NOT want to go with this
configuration, and how I can secure it further if I do decide to go with