RE: RRAS with PPTP connections security

From: Ogle Ron (Rennes) (ron.ogle@thomson.net)
Date: 09/18/02 

From: "Ogle Ron (Rennes)" <ron.ogle@thomson.net>
To: "'Evan Mann'" <emann@questinc.org>, focus-ms@securityfocus.com
Date: Wed, 18 Sep 2002 11:04:13 +0200

As a general rule, don't let anything past your firewall to the inside
unless you have an encrypted (at least 56 bit DES) VPN with 2 factor
authentication. The authentication check should be done at the perimeter
before any traffic is allowed inside.

For the 2 factor authentication you can use S/Key, SecurID, Certificates,
etc. Do yourself a favor and drop PPTP and go to the better IPsec.

Ron Ogle
Rennes, France

> -----Original Message-----
> From: Evan Mann [mailto:emann@questinc.org]
> Sent: Tuesday, September 17, 2002 09:14 PM
> To: focus-ms@securityfocus.com
> Subject: RRAS with PPTP connections security
>
>
> I am looking into allowing more users access to our network from home.
> Currently I do this using MS PPTP connections from Win2000
> Pro machines to
> my Watchguard Firebox II.
>
> I am investigating switching from use the FBII as a point of
> authentication
> to using a private side Win2000 RRAS server. I have setup a
> 1-to-1 NAT (as
> watchguard calls it) to allow PPTP connections (tcp 47 and
> 1723) to my RRAS
> server. The setup works fine and I can hit the RRAS server
> and authenticate
> just like a charm.
>
> What I don't know is what kind of security hazards I am
> opening myself up to
> now that I've opened up tcp 47/tcp 1723 at the firebox level
> and let it
> bypass the firewall and hit a private side server whichs runs RRAS and
> allows PPTP connections.
>
> Be aware that tcp 47/tcp 1723 are the ONLY ports that cna hit
> this server
> frm the outside with the way I have the firewall configured.
>
> Can you please enlighten me as to why I may NOT want to go with this
> configuration, and how I can secure it further if I do decide
> to go with it.
>

Relevant Pages

  • Re: RRAS fails after upgrage to SBS2003
    ... If Radius authentication is configured by mistake, you can reconfigure RRAS ... See whether the radius server name is spelled correctly, ... > Then after that I get a message from the Service Control Manager ...
    (microsoft.public.win2000.ras_routing)
  • Re: Multihomed server 2000
    ... Even though I used Windows authentication, I expected the RRAS ... server to use the local user list, but because the server is a domain ... through the VPN. ...
    (microsoft.public.windows.server.networking)
  • RE: RRAS with PPTP connections security
    ... RRAS with PPTP connections security ... Currently I do this using MS PPTP connections from Win2000 Pro machines ... to using a private side Win2000 RRAS server. ...
    (Focus-Microsoft)
  • [Full-disclosure] [GOATSE SECURITY] Clench: Goatses way to say "screw you" to certificate author
    ... Application layer authentication-inherent validation of public key ... Goatse Security’s new simple password-based authentication mechanism ... getting hundreds of thousands or millions of users to install a client ... client hashes locally and then sends the hash to the server. ...
    (Full-Disclosure)
  • Re: Kerberos machine authentication - apparent authentication fail
    ... > until logon), the wireless connection can kick off when it is ready. ... > was confirmed in the server event logs with IAS (i set that up as the radius ... > as an ordinary user kicks in and takes over from the machine authentication. ... > while the network sorts itself out and a double click on a network link of ...
    (microsoft.public.windows.server.security)