-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> -----Original Message-----
> From: Jarmon, Don R [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, December 29, 1998 5:40 AM
> To: '[EMAIL PROTECTED]'
> Cc: [EMAIL PROTECTED]
> Subject: RE: [FW1] PPTP through Checkpoint Firewall
>
> I was under the impression that Checkpoint fw-1 v4.0 ships
> with unlimited
> VPN Client capabilities.
> Ref: http://www.checkpoint.com/products/firewall-1/4.0/index.html#VPN
According to http://www.checkpoint.com/products/modules.html it is still a
separate module. Anyone got a definitive answer to that?
> In order to support MS PPTP, a Firewall would need to be able to pass
> protocol type 47/GRE and port 1723/TCP between Extranet clients and an
> Intranet PPTP server(s). This MS-PPTP is not supported very
> well with many
> Firewalls. [...]
If you don't perform NAT, it should pass through ok. If you have NAT setup,
you will run into problems. Mostly because the source/destination IP address
of the original packet are encapsulated in GRE. A proxy/NAT, that looks only
at the GRE header IP info, will not be able to 'route' the packet to the
intended destination. A proxy/NAT would have to inspect the encapsulated
packet to do that.
If you have only one PPTP server behind the firewall, you may be able to
force all packets to that IP address. Establishing a PPTP session outbound
is not possible at all.
> [...] * Place the PPTP server on the outside of the Firewall
> and establish
> rules on Firewall to except traffic from the PPTP server
> needed to support
> remote application needs.
- From a security standpoint it doesn't matter if the PPTP server is behind
or
in front of the firewall. You may be able to eliminate spoofed packets
better if it is behind the wall. But someone could potentially compromise
the PPTP server, and if the PPTP server is in front of the firewall, you
don't have any added security passing the data back through the firewall,
except that you can filter by IP address and service type.
Regards,
Frank
PS: Can anyone show an example of an attack on a PPTP server through the
Internet? All the fuss about sniffing and spoofing PPTP seems to originate
from an open test bed environment. For example, can one source route GRE
packets?
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.0
Comment: PGP encrypted email preferred
iQA/AwUBNol0BSlma9DCzQQeEQJEugCdHmikk2aEl8Nukn9pvsKTXycYEoUAmwZp
9ssqdH1RXxj7dpjtskp5EwXh
=pvot
-----END PGP SIGNATURE-----
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
