I just had a thought about PPTP. Since the client is doing PPP (as far
as its concerned) until it reaches the PPTP server device (today, an NT
server), you presumably would then provide the client with all of its IP
address information from this server. The routing of the PPP traffic
(which is encapsulated in IGREP packets between the server and the FEP)
is handled independently of the client (i.e. the client is not aware of
the IP addresses along the way).
The result is that, potentially, an internal IP address is being used
across the Internet, although its not actually being used across the
Internet...;-]
So, if I put the PPTP server inside my Firewall, I have to open port
5678 to allow it through, knowing that the packets inside this data
stream have IP addresses that are considered internal addresses
(internal to my Firewall). If we assume we are only allowing encrypted
channels, and we further assume we are only allowing NT
Challenge/Response for the authentication method (I know, a lot of
assumptions), then there's not much a Firewall can do to enhance the
security of this, correct? I mean, this is similar to a VPN tunnel
between two known gateways, but there's the disadvantage that the FEP
will probably be unknown (assuming your allowing for roving clients). So
the Firewall would have to trust any incoming request and put it through
to the PPTP server for validation.
Now if I put the PPTP server outside my Firewall, then we get into the
issues of the NT Domain server being exposed to the Internet, and
despite my beliefs many see this as simply too much of a risk.
So, any Firewall vendors out there doing something about PPTP???? If so,
what, can you talk, please tell....
Also, if the client receives its IP information from the PPTP server,
its not going to be able to use its connection to a local ISP for
anything else, so any browsing (for example) that the client might want
to do on the Internet would end up being done through the PPTP Server's
connection to the Internet. So if I'm in the U.K. on a business trip,
and my office is in the U.S., if I connect to a U.K. ISP using PPTP and
want to browse a U.K. site I have to send my packets to my office and
then have them routed from there to the U.K. site, yuck...
Comments would be appreciated.
Cheers,
Russ
...eek, quick, someone give me some broken software, I'm suffering beta
withdrawals...
|
|
