Firewalls: RE: PPTP & FW-1

Firewalls
(August 1997)

Indexed By Thread: [Previous] [Next]

Subject:	RE: PPTP & FW-1
From:	James Terry <james @ imxexchange . com>
Date:	Wed, 6 Aug 1997 12:32:15 -0700
To:	"'Firewalls @ GreatCircle . COM'" <firewalls @ GreatCircle . COM>

i'm sorry to be so ignorant, but could someone please clear this up for
me?;


IS IT POSSIBLE, using Microsofts PPTP (windows client, NT server) to
establish a FULLY secured
connection through FW-1 3.0? (non VPN)

What i want is SECURED authentication AND secured communication:
authenticity & confidentiality.

thanks,
james @
 imx-exchange .
 com .
 



>-----Original Message-----
>From:	Russ [SMTP:Russ .
 Cooper @
 RC .
 on .
 ca]
>Sent:	Wednesday, August 06, 1997 5:10 AM
>To:	Firewalls @
 GreatCircle .
 COM; 'snorthc @
 nswc .
 navy .
 mil'
>Subject:	RE: PPTP & FW-1
>
>PPTP's control connection uses TCP/UDP 1723. TCP/UDP 5678 was indicated
>in the initial draft proposal for the PPTP protocol, but NT 4.0 was
>released using the IANA assigned port number 1723.
>
>GRE, IP Protocol 47 (not a TCP or UDP port) is used for the data tunnel.
>
>Obviously if you implement a rule on FW-1 (or any Firewall) specifying
>TCP/UDP 5678 for the control channel, you're not going to be able to get
>any NT or Win95-based PPTP machines to work since they will try to set
>up their control channel over TCP1723.
>
>Some Front-End Processors (FEPs) may actually make the PPTP control
>connection themselves, and then relay the PPP traffic through the tunnel
>they've established. In this case, your rules need to be based on the IP
>address of the FEP, not the IP address assigned to the client by the
>ISP.
>
>If you are doing PPTP over a client network adapter, then your rules are
>based on the client's original IP address.
>
>IP addresses assigned by the PPTP server need to be from a subnet other
>than one existing on your PPTP server networks, otherwise your clients
>will end up with their PPTP network gateway being seen as an address on
>their physical network adapter, rather than an addressed reached through
>their virtual network adapter created by the PPTP tunnel.
>
>Finally, remember that GRE is *not* encryption, merely encapsulation. No
>valuable security is gained by encapsulation, so enable PPP encryption
>on the Dial-up connection on the client to obtain any security.
>
>Cheers,
>Russ
>R.C. Consulting, Inc. - NT/Internet Security
>owner of the NTBugTraq Mailing List - http://ntbugtraq.rc.on.ca/

Indexed By Date	Previous:	Re: Risks of enable RIP... From: Mike Jones <mike . jones @ unifiedtech . com>
Indexed By Date	Next:	RE: Mail bombing made legal... From: Chris Brenton <cbrenton @ pccmis . com>
Indexed By Thread	Previous:	Re: PPTP & FW-1 From: Eric Vyncke <evyncke @ cisco . com>
Indexed By Thread	Next:	PPTP & FW-1 From: cceballos <cceballos @ SRC . SIEMENS . es>