I was under the impression that Checkpoint fw-1 v4.0 ships with unlimited
VPN Client capabilities.
Ref: http://www.checkpoint.com/products/firewall-1/4.0/index.html#VPN
In order to support MS PPTP, a Firewall would need to be able to pass
protocol type 47/GRE and port 1723/TCP between Extranet clients and an
Intranet PPTP server(s). This MS-PPTP is not supported very well with many
Firewalls. MS has made available both Security and Performance enhancements
for 95, 98, and NT clients and it's still free.
Options:
* Utilize the VPN capabities available from Checkpoint.
* Place the PPTP server on the outside of the Firewall and establish
rules on Firewall to except traffic from the PPTP server needed to support
remote application needs. Hint: Use same server to support PPTP, MS Proxy
Caching, and Public Web Publishing.
* Invest in a Nortel-Baynetworks Extranet server to support both MS
PPTP and IPSEC clients.
Ref: http://www.baynetworks.com/news/Press/9811231.shtml
> ----------
> From: Frank Knobbe[SMTP:[EMAIL PROTECTED]]
> Sent: Monday, December 28, 1998 11:28 PM
> To: [EMAIL PROTECTED]
> Subject: FW: [FW1] PPTP through Checkpoint Firewall
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> > -----Original Message-----
> > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
> > Sent: Sunday, December 27, 1998 11:27 PM
> > To: [EMAIL PROTECTED]
> > Subject: [FW1] PPTP through CHeckpoint Firewall
> >
> > I have checkpoint firewall single gateway non vpn
> > version connected to
> > internet. We wanted to have virtual private network
> > using PPTP with a
> > remote site which is connected to internet through dial up.
> >
> > I have heard that PPTP is not very secure. Kindly shed
> > some light on
> > the pros and cons of using it and identify the best
> > online resources
> > for its configuration. Also how can one give it access
> > through FW-1?
>
>
> Microsoft's implementation of PPTP is reasonable secure. You can set very
> strong encryption (128 bit) for data privacy. But there is a documented
> attack on the _authentication_ handshake. If someone can sniff the PPTP
> packet flow, it is possible to gain user session information, including
> password hashes.
>
> However, as with all VPN implementation I suggest using OTP authentication
> using tokens. With this strong authentication it doesn't matter if someone
> actually captures the one-time password because he/she will not be able to
> use it a second time. The session key can be gathered with above attack,
> but
> I have not seen any successful man-in-the-middle attack against a PPTP
> session. It is, however, possible to decrypt the data stream with this
> session key (as far as I know).
>
> The downside of PPTP is that you can not bring it in or out a proxy, or
> passed a firewall with NAT. A different VPN or tunnel protocol like IPSec
> may be the better choice.
>
> Since you have a Checkpoint firewall, I would recommend to invest a little
> more for a proven (and so far attack resistant) VPN solution using
> Checkpoint (fw to fw, or client to fw via SecuRemote). In either case I
> recommend tokens.
>
> However, if funds are a problem, I see no reason not to use PPTP, but then
> again, it all depends on what wealth and worth of data you want to
> protect.... You need to exercise security within reason.
>
>
> Regards,
> Frank
>
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP Personal Privacy 6.0
> Comment: PGP encrypted email preferred
>
> iQA/AwUBNohodSlma9DCzQQeEQKHqACg9jHfn07kxOuRAB+rbhm//68p1yEAoMYp
> Z20BHTENQZWySmMEu9VcqM4o
> =PhnE
> -----END PGP SIGNATURE-----
> -
> [To unsubscribe, send mail to [EMAIL PROTECTED] with
> "unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
