Great Circle Associates Firewalls
(August 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: RE: PPTP & FW-1
From: ö PaLaN ö <palan @ dataprep . com . my>
Date: Fri, 08 Aug 1997 11:57:22 +0800
To: Russ <Russ . Cooper @ RC . on . ca>
Cc: firewalls @ greatcircle . com
In-reply-to: <B1A2E88F5F7FD011A0B40000E8D5C667133650 @ mail . rc . on . ca> 
At 08:10 AM 8/6/97 -0400, you wrote:
>PPTP's control connection uses TCP/UDP 1723. TCP/UDP 5678 was indicated
>in the initial draft proposal for the PPTP protocol, but NT 4.0 was
>released using the IANA assigned port number 1723.
>
>GRE, IP Protocol 47 (not a TCP or UDP port) is used for the data tunnel.
>
>Obviously if you implement a rule on FW-1 (or any Firewall) specifying
>TCP/UDP 5678 for the control channel, you're not going to be able to get
>any NT or Win95-based PPTP machines to work since they will try to set
>up their control channel over TCP1723.

>> Russ, 
>>
>> I'm confused here. The TCP/UDP 5678 port you mentioned above actuallly
refers to >> >> "Remote Replication Agent Connection" (rrac service) under
the registered ports list. >> Correct me if I'm wrong here, I don't really
see this service is related or required >> for the pptp to work. Any
comments ?
>>
>> rgds,
>>PaLaN
>>
>
>Some Front-End Processors (FEPs) may actually make the PPTP control
>connection themselves, and then relay the PPP traffic through the tunnel
>they've established. In this case, your rules need to be based on the IP
>address of the FEP, not the IP address assigned to the client by the
>ISP.
>
>If you are doing PPTP over a client network adapter, then your rules are
>based on the client's original IP address.
>
>IP addresses assigned by the PPTP server need to be from a subnet other
>than one existing on your PPTP server networks, otherwise your clients
>will end up with their PPTP network gateway being seen as an address on
>their physical network adapter, rather than an addressed reached through
>their virtual network adapter created by the PPTP tunnel.
>
>Finally, remember that GRE is *not* encryption, merely encapsulation. No
>valuable security is gained by encapsulation, so enable PPP encryption
>on the Dial-up connection on the client to obtain any security.
>
>Cheers,
>Russ
>R.C. Consulting, Inc. - NT/Internet Security
>owner of the NTBugTraq Mailing List - http://ntbugtraq.rc.on.ca/
>

Security Analyst
West Malaysia.
_______________________________________________
"Here is my key ... lets exchange packets now."
References:
Indexed By Date Previous: secure connection
From: Jian Zhen <jlz @ isli . com>
Next: Re: Firewalls-Digest V6 #376
From: Matt Davis <mdavis @ iagnet . net>
Indexed By Thread Previous: Re: PPTP & FW-1
From: Ron Levesque <rlevesque @ lanoptics . com>
Next: Re: PPTP & FW-1
From: Eric Vyncke <evyncke @ cisco . com>
Google
 
Search Internet Search www.greatcircle.com