RE: RRAS with PPTP connections security
From: mjans001 (m.jansen001@chello.nl)Date: 09/18/02
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #104"
- Maybe in reply to: Evan Mann: "RRAS with PPTP connections security"
- Next in thread: Ogle Ron (Rennes): "RE: RRAS with PPTP connections security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "mjans001" <m.jansen001@chello.nl> To: <emann@questinc.org> Date: Wed, 18 Sep 2002 19:40:35 +0200
Keep an extra DMZ (outside a pix or fw1) at hand where you end/terminate
all the pppoe/ipsec encapsulated traffic. (maybe also a dial-in device
there).
Authenticate from there (fw rules, only radius udp traffic to dc)
against a directory, radius or Tacacs+ to save work on the long run.
The inside part of the pptp terminator LAN is trusted, but only let
traffic you allow from the terminator NIC to the fileservers/mail etc.
So keep your defences layered, think of a wall/closed gate around the
embassy, and the locked front door.
Keep personal firewalls like zonealarm and software vpn ipsec clients
(like cisco) on RAS clients in mind. No covert channels
1 infected pc can ruin all netbios shares in your lan in a minute.
Martijn
-----Oorspronkelijk bericht-----
Van: Evan Mann [mailto:emann@questinc.org]
Verzonden: woensdag 18 september 2002 14:13
Aan: 'mjans001'
Onderwerp: RE: RRAS with PPTP connections security
What do you mean by terminating PPTP?
-----Original Message-----
From: mjans001 [mailto:m.jansen001@chello.nl]
Sent: Wednesday, September 18, 2002 1:58 AM
To: emann@questinc.org; focus-ms@securityfocus.com
Subject: RE: RRAS with PPTP connections security
You may want to look into terminating the pptpt or maybe in the future
ipsec tunnels in the dmz. Where you have authenticated the user etc.
Then you can put restrictive access-lists on the user traffic, and you
have to authenticate locally or let the authentication traffic, say
radius pass trough.
Martijn
CCNP DP CISSP
-----Oorspronkelijk bericht-----
Van: Evan Mann [mailto:emann@questinc.org]
Verzonden: dinsdag 17 september 2002 21:14
Aan: focus-ms@securityfocus.com
Onderwerp: RRAS with PPTP connections security
I am looking into allowing more users access to our network from home.
Currently I do this using MS PPTP connections from Win2000 Pro machines
to my Watchguard Firebox II.
I am investigating switching from use the FBII as a point of
authentication to using a private side Win2000 RRAS server. I have
setup a 1-to-1 NAT (as watchguard calls it) to allow PPTP connections
(tcp 47 and 1723) to my RRAS server. The setup works fine and I can hit
the RRAS server and authenticate just like a charm.
What I don't know is what kind of security hazards I am opening myself
up to now that I've opened up tcp 47/tcp 1723 at the firebox level and
let it bypass the firewall and hit a private side server whichs runs
RRAS and allows PPTP connections.
Be aware that tcp 47/tcp 1723 are the ONLY ports that cna hit this
server frm the outside with the way I have the firewall configured.
Can you please enlighten me as to why I may NOT want to go with this
configuration, and how I can secure it further if I do decide to go with
it.
- application/x-pkcs7-signature attachment: smime.p7s
- Previous message: Marc Fossi: "SecurityFocus Microsoft Newsletter #104"
- Maybe in reply to: Evan Mann: "RRAS with PPTP connections security"
- Next in thread: Ogle Ron (Rennes): "RE: RRAS with PPTP connections security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
