RE: RRAS with PPTP connections security

From: mjans001 (m.jansen001@chello.nl)
Date: 09/18/02


From: "mjans001" <m.jansen001@chello.nl>
To: <emann@questinc.org>
Date: Wed, 18 Sep 2002 19:40:35 +0200


Keep an extra DMZ (outside a pix or fw1) at hand where you end/terminate
all the pppoe/ipsec encapsulated traffic. (maybe also a dial-in device
there).

Authenticate from there (fw rules, only radius udp traffic to dc)
against a directory, radius or Tacacs+ to save work on the long run.

The inside part of the pptp terminator LAN is trusted, but only let
traffic you allow from the terminator NIC to the fileservers/mail etc.

So keep your defences layered, think of a wall/closed gate around the
embassy, and the locked front door.

Keep personal firewalls like zonealarm and software vpn ipsec clients
(like cisco) on RAS clients in mind. No covert channels
1 infected pc can ruin all netbios shares in your lan in a minute.

Martijn

-----Oorspronkelijk bericht-----
Van: Evan Mann [mailto:emann@questinc.org]
Verzonden: woensdag 18 september 2002 14:13
Aan: 'mjans001'
Onderwerp: RE: RRAS with PPTP connections security

What do you mean by terminating PPTP?

-----Original Message-----
From: mjans001 [mailto:m.jansen001@chello.nl]
Sent: Wednesday, September 18, 2002 1:58 AM
To: emann@questinc.org; focus-ms@securityfocus.com
Subject: RE: RRAS with PPTP connections security

You may want to look into terminating the pptpt or maybe in the future
ipsec tunnels in the dmz. Where you have authenticated the user etc.
Then you can put restrictive access-lists on the user traffic, and you
have to authenticate locally or let the authentication traffic, say
radius pass trough.

Martijn
CCNP DP CISSP

-----Oorspronkelijk bericht-----
Van: Evan Mann [mailto:emann@questinc.org]
Verzonden: dinsdag 17 september 2002 21:14
Aan: focus-ms@securityfocus.com
Onderwerp: RRAS with PPTP connections security

I am looking into allowing more users access to our network from home.
Currently I do this using MS PPTP connections from Win2000 Pro machines
to my Watchguard Firebox II.

I am investigating switching from use the FBII as a point of
authentication to using a private side Win2000 RRAS server. I have
setup a 1-to-1 NAT (as watchguard calls it) to allow PPTP connections
(tcp 47 and 1723) to my RRAS server. The setup works fine and I can hit
the RRAS server and authenticate just like a charm.

What I don't know is what kind of security hazards I am opening myself
up to now that I've opened up tcp 47/tcp 1723 at the firebox level and
let it bypass the firewall and hit a private side server whichs runs
RRAS and allows PPTP connections.

Be aware that tcp 47/tcp 1723 are the ONLY ports that cna hit this
server frm the outside with the way I have the firewall configured.

Can you please enlighten me as to why I may NOT want to go with this
configuration, and how I can secure it further if I do decide to go with
it.






Relevant Pages

  • RE: RRAS with PPTP connections security
    ... Currently I do this using MS PPTP connections from Win2000 Pro machines ... authentication to using a private side Win2000 RRAS server. ... The setup works fine and I can hit ... the RRAS server and authenticate just like a charm. ...
    (Focus-Microsoft)
  • Re: VPN error 691
    ... RRAS is setup for PPTP connections. ... authentication protocol is not permitted. ... No authentication settings were changed as far as I know on the RRAS ... The RRAS server is part of a domain. ...
    (microsoft.public.windows.server.networking)
  • RE: RRAS with PPTP connections security
    ... The authentication check should be done at the perimeter ... > Currently I do this using MS PPTP connections from Win2000 ... > to using a private side Win2000 RRAS server. ...
    (Focus-Microsoft)
  • RE: RRAS with PPTP connections security
    ... RRAS with PPTP connections security ... Currently I do this using MS PPTP connections from Win2000 Pro machines ... to using a private side Win2000 RRAS server. ...
    (Focus-Microsoft)
  • Re: VPN not in domain authenticating with IAS
    ... Sarah ... If you want to authenticate to Active ... > If the RRAS server is not a member, ... >> Directory) and authenticated the client machine. ...
    (microsoft.public.win2000.ras_routing)