Great Circle Associates Firewalls
(August 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: PPTP & FW-1
From: Eric Vyncke <evyncke @ cisco . com>
Date: Wed, 06 Aug 1997 13:30:07 +0000
To: Dick_Wall @ stratus . com, firewalls-owner @ GreatCircle . COM
Cc: bc17684 @ 90 . deere . com, Beall_Linda/na2 @ na2 . stratus . com, Eckler_Richard/na2 @ na2 . stratus . com, Firewalls @ GreatCircle . COM, fw-1-mailinglist @ us . checkpoint . com 
At 13:57 5/08/97 -0400, Dick_Wall @
 stratus .
 com wrote:
>> PPTP is using:
>> - a modified GRE tunnel which lays directly on the top
>> of IP with protocol (I do not have right now the number of the
>> protocol but check in /etc/protocols for the right number)
>> - a TCP control session to port 5678 (on the PPTP 'server') which
>> is by the way a funny number ;-)
>
>Is it really 5678 ??  I was told that the port was really 1723.  And
>that if I wanted to prevent my users from establishing PPTP sessions ..
>block outbound (towards the Internet) requests to TCP port 1723.  Did I
>get some bad info ?

Dick,

It seems that I was wrong and you were right. I was relying on
the PPTP draft which specified the 5678 port. It seems that NT
help files (dixit Russ Cooper) is actually using 1723.

>> Also beware that PPTP is probably useful for you but do not
>> trust too much its security... 

To further comment on my previous personal comment; PPTP is
not unsecure per se but rather the implementation of it by 
Microsoft:
- authentication is done by NT logon, i.e., re-usable password
  and one time password are not easily integrated (if possible at all!)
  in NT logon
- authorization, as far as I know, you cannot restrict the PPTP
  tunnel to start from some IP addresses only, 
- authorization, you cannot as well prevent the remote user of the
  PPTP tunnel to access any IP addresses/services on your internal
  network
- confidentiality is implemented, AFAIK, by PPP encryption which
  is not available for Unix machine and is/was limited to 40-bit
  key outside of USA

The first three points are 'weak' in respect to standard telephone
dial-in:
- authentication with dial-in access servers can be easily integrated
  with stronger authentication like one time token
- authorization can prevent the dial-in user (based on its userid)
  to access some parts of the internal networks.

To stress the first line of my previous message, this is my personal
opinion only ! (notice the possible bias from my employeer).

-eric


Eric Vyncke      
Technical Consultant               Cisco Systems Belgium SA/NV
Phone:  +32-2-778.4677             Fax:    +32-2-778.4300
E-mail: evyncke @
 cisco .
 com          Mobile: +32-75-312.458
Indexed By Date Previous: Re: Mail bombing made legal...
From: JOHNSON @ neu . edu
Next: Re: Mail bombing made legal...
From: Nick Simicich <njs @ scifi . squawk . com>
Indexed By Thread Previous: RE: PPTP & FW-1
From: ö PaLaN ö <palan @ dataprep . com . my>
Next: RE: PPTP & FW-1
From: James Terry <james @ imxexchange . com>
Google
 
Search Internet Search www.greatcircle.com