Firewalls: Re: PPTP & FW-1

Firewalls
(August 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: PPTP & FW-1
From:	Ron Levesque <rlevesque @ lanoptics . com>
Organization:	LanOptics Inc.
Date:	Wed, 06 Aug 1997 15:32:29 -0500
To:	Russ <Russ . Cooper @ RC . on . ca>
Cc:	"\"Firewalls @ GreatCircle . COM\"" <firewalls @ GreatCircle . COM>
References:	<B1A2E88F5F7FD011A0B40000E8D5C667133650 @ mail . rc . on . ca>

Russ,

In your last paragraph, you say to enable "ppp encryption" on the
client. I'm using Win95 dial-up networking 1.2 which has the PPTP(VPN)
stuff, but I can't find anywhere where you turn on PPP encryption. I'm
using NT4 RAS and it has "data encryption" check box, but nothing on the
95 side, or am I missing ?

Ron


Russ wrote:
> 
> PPTP's control connection uses TCP/UDP 1723. TCP/UDP 5678 was indicated
> in the initial draft proposal for the PPTP protocol, but NT 4.0 was
> released using the IANA assigned port number 1723.
> 
> GRE, IP Protocol 47 (not a TCP or UDP port) is used for the data tunnel.
> 
> Obviously if you implement a rule on FW-1 (or any Firewall) specifying
> TCP/UDP 5678 for the control channel, you're not going to be able to get
> any NT or Win95-based PPTP machines to work since they will try to set
> up their control channel over TCP1723.
> 
> Some Front-End Processors (FEPs) may actually make the PPTP control
> connection themselves, and then relay the PPP traffic through the tunnel
> they've established. In this case, your rules need to be based on the IP
> address of the FEP, not the IP address assigned to the client by the
> ISP.
> 
> If you are doing PPTP over a client network adapter, then your rules are
> based on the client's original IP address.
> 
> IP addresses assigned by the PPTP server need to be from a subnet other
> than one existing on your PPTP server networks, otherwise your clients
> will end up with their PPTP network gateway being seen as an address on
> their physical network adapter, rather than an addressed reached through
> their virtual network adapter created by the PPTP tunnel.
> 
> Finally, remember that GRE is *not* encryption, merely encapsulation. No
> valuable security is gained by encapsulation, so enable PPP encryption
> on the Dial-up connection on the client to obtain any security.
> 
> Cheers,
> Russ
> R.C. Consulting, Inc. - NT/Internet Security
> owner of the NTBugTraq Mailing List - http://ntbugtraq.rc.on.ca/

-- 
---------------------------------------------------------
Ron Levesque, CCIE #2723        LanOptics Inc. 
Senior Systems Engineer         (A Cisco & IBM, OEM)
Main  : 800-533-8439            2445 Midway Road, Bldg 2
Direct: 972-738-6982            Dallas, Texas, 75006
Wireless Email Address          8945228 @
 Skymail .
 com           
---------------------------------------------------------

References:

RE: PPTP & FW-1
From: Russ <Russ . Cooper @ RC . on . ca>

Indexed By Date	Previous:	RE: Mail bombing made legal... From: Chris Brenton <cbrenton @ pccmis . com>
Indexed By Date	Next:	Re: Website to Fake email as a service From: Ambrose Li <news-misc @ mingpaoxpress . com>
Indexed By Thread	Previous:	RE: PPTP & FW-1 From: Russ <Russ . Cooper @ RC . on . ca>
Indexed By Thread	Next:	RE: PPTP & FW-1 From: ö PaLaN ö <palan @ dataprep . com . my>