Great Circle Associates Firewalls
(July 1996) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: RE: PPTP thoughts anyone?
From: Russ <Russ . Cooper @ RC . Toronto . on . ca>
Date: Thu, 1 Aug 1996 01:38:36 -0400
To: "'Firewalls'" <firewalls @ GreatCircle . COM> 
>Dreez said...
"FYI, MS has said that it will provide PPTP in Win95 clients by year end
>which reduces need for PPTP in FEPs. Correct me if I'm wrong."
>
>PPTP client support is already built into NT 4.0, so putting it into Win95 is
>just a matter of time.
>
>Dreez said...
"Russ said firewall vendors should make their clients PPTP compatible.
>Well if I can get mine free from MS, why should I spend the money?"
>
>Hey, I never said that! Whether the Firewall vendors make their VPN clients
>PPTP compatible or not is not as important (in my mind) as them making some
>provision for PPTP at or through their Firewall servers. If I chose to use
>PPTP for my clients to access my office, I don't want to hear that the
>Firewall is an obstacle to doing that.
>
>My original question was whether or not Firewall folks thought that the
>interesting concepts in PPTP posed a potential security risk that needs to be
>addressed, either by a Firewall or in the specification itself. Imagine;
>
>- my office LAN has a network address of, say, 150.25.x.x
>- my PPTP server has an address of, say, 150.25.10.2
>- my external Firewall adapter has an address of, say, 192.20.30.1
>- the FEP has an address of, say, 206.22.33.1, and might be anywhere on the
>Internet
- once connected, my client is going to have an address of 150.25.100.5,
>yet its packets are passing through 206.22.33.1 to 192.20.30.1 and then
>ultimately appearing through 150.25.10.2, thereby appearing to be internal
>addresses.
>
>Does anyone see a problem with this scenario?

>Dreez said...
"I haven't heard a PPTP routing story that makes sense. For example, if
>the session is encrypted (RAS encrypts the data in the tunnel at the client),
how is PPTP going to see the IP address information to route? It will be
>encrypted. Someone fill in the gaps please."
>
The current PPTP specification only covers the communication between the
FEP and the NTS, so there is nothing that I've found talking about how
the client will negotiate which NTS it wants the FEP to establish a
connection with. In fact, the document that I have (PPTP specifications
dated Feb.22nd) indicates that the FEP will not actually answer the
client call until it has determined that the NTS is prepared and willing
to accept the call??? Clearly this must have been updated since then so
I have to get more info.

>Cheers,
>Russ
>...eek, quick, someone give me some broken software, I'm suffering beta
>withdrawals...
>
Indexed By Date Previous: PPTP Information
From: "Greg Otto" <gdo @ shellus . com>
Next: 100Mb thorugh a proxy firewall
From: Franc Carter <franc @ finance . econ . su . oz . au>
Indexed By Thread Previous: RE: PPTP thoughts anyone?
From: endrizzi @ master . the-link . com
Next: ANS InterLock 4.0 Announcement
From: nowak @ reston . ans . net
Google
 
Search Internet Search www.greatcircle.com