Block PPTP VPN

S

shadowwyvern

Gawd
Joined
Sep 22, 2005
Messages
604
I want to create a firewall rule to restrict access to my pptp vpn (hosted by a pfsense machine), but I need all the ports it uses. I don't fully understand the protocol, so I ma not really sure what they are, or if I have all of them. Any help?

Thanks
 
FWIW, PPTP is grossly insecure and should not be used unless no other option is available. It's not a big deal to run IPSec or OpenVPN on pfsense; both are far more secure.

If you really want to use PPTP, however, it runs over port 1723 and IP protocol 47 (GRE).
 
SJConsultant said:
No date on that FAQ? No details? It doesn't give me any clear indication of how insecure PPTP is nor anything about how an attack could occur.
Click to expand...

What are you, a hacker? Need more details, eh? LoL. It's just the first example that came back in google.
 
DragonNOA1 said:
What are you, a hacker? Need more details, eh? LoL. It's just the first example that came back in google.
Click to expand...

Erm. I googled, yet only find vague references with plenty of "PPTP is insecure" comments on other forums. I know there was a problem with a very early PPTP implementation by MS a number of years ago, but that was corrected.

When analyzing security issues, I like to have as much information as possible to make an informed decision in regards to my customers networks.;)
 
SJConsultant said:
When analyzing security issues, I like to have as much information as possible to make an informed decision in regards to my customers networks.;)
Click to expand...

Well I always thought since PPTP = Microsoft that people shied away from it. Plus, how many PPTP hardware appliances do you see? It's always IPSec / L2TP.
 
pptp serves its purpose, but like the 1st replier said, there's a lot better ways to do it for very little extra cost or setup
 
DragonNOA1 said:
Well I always thought since PPTP = Microsoft that people shied away from it. Plus, how many PPTP hardware appliances do you see? It's always IPSec / L2TP.
Click to expand...

The Cisco PIX does PPTP (as well as IPSEC).

I don't see anything wrong with doing PPTP on a PIX or other router/firewall. I've setup many customers on PPTP and have never had an issue. The above article you linked contends that MIcrosoft's implemtation of PPTP is faulty and mentions only NT Server and Win95 client. MS's PPTP code from that era may very well have been faulty, but I imagine it's been rectified in 2003 Server.

When I spec out a VPN setup, I generally do it on the firewall though, not on a MS server.

PPTP works and it's cheap to implement (easy to setup WinXP client a big part of that). That means business people are able to use it and less resistant to doing so. I've also done many IPSEC VPN setups and they are overall more complex and expensive. That assumes you are dealing with business grade equipment with required licensing etc., not open source. I know that will set off a flurry of IPSEC is cheap too, you don't know WTF you're doing , blah blah blah.... I don't care.

PPTP is plenty secure. There's no reason to get all NSA about it.

A lot of the PPTP detractors assume it's realistic that a hacker is always able to monitor LAN traffic with a sniffer and will capture VPN passwords. That's just silly.
 
DragonNOA1 said:
Well I always thought since PPTP = Microsoft that people shied away from it. Plus, how many PPTP hardware appliances do you see? It's always IPSec / L2TP.
Click to expand...

Quite a few. Linksys RV series support PPTP out of the box and IPSec. Problems can develop with IPSEC VPNs if one or the other end is behind a NAT router. NAT-T overcomes this issue, however it is fairly new. PPTP does not have this "limitation".

Again I am inquiring for this information solely because I want to evaluate the merits of the insecurity to determine the risk level involved in using PPTP, not because of someone's opinion, outdated information, or bias against MS.
 
SJConsultant said:
Again I am inquiring for this information solely because I want to evaluate the merits of the insecurity to determine the risk level involved in using PPTP, not because of someone's opinion, outdated information, or bias against MS.
Click to expand...

You have me interested now too. PPTP is much easier to setup (for me) and I wouldn't mind recommending it knowing that it is a secure solution.
 
Spartacus said:
A lot of the PPTP detractors assume it's realistic that a hacker is always able to monitor LAN traffic with a sniffer and will capture VPN passwords. That's just silly.
Click to expand...

Uhh, the whole point behind a VPN is to send sensitive data over untrusted network links. If you can trust the network infrastructure not to crack your PPTP sessions, then you don't need a VPN in the first place: just send your data in the clear.
 
SJConsultant said:
So let me get this straight, the "insecurity" surrounding PPTP is based on "weak" passwords?
Click to expand...

No, the vulnerability is that PPTP relies on passwords for security and exposes enough information to crack passwords offline. While current attack tools can only break weak passwords, but there's nothing stopping anyone from using a rainbow table attack capable of breaking strong passwords.

Also keep in mind that breaking the PPTP password on PPTP VPN hosted by a Windows server will also get you the user's Windows login password. That would be a problem if the password broken happens to belong to an administrator.

In contrast, IPsec and OpenVPN don't transmit any password information until after a certificate-based secured channel has been established. The strength of IPSec or OpenVPN passwords (if passwords are used at all) has no effect on the resistance of the VPN to eavesdropping, replay, MITM, or other attacks.
 
Overwind said:
Uhh, the whole point behind a VPN is to send sensitive data over untrusted network links. If you can trust the network infrastructure not to crack your PPTP sessions, then you don't need a VPN in the first place: just send your data in the clear.
Click to expand...

Overwind said:
No, the vulnerability is that PPTP relies on passwords for security and exposes enough information to crack passwords offline. While current attack tools can only break weak passwords, but there's nothing stopping anyone from using a rainbow table attack capable of breaking strong passwords.
Click to expand...

Ok, while that may be true, consider the following:

Typical VPN use is an office worker at home who connects to the office for network resources. The worker has cable/dsl and connects to the office which likely is a T1 or maybe cable/dsl for a smaller office. For the moment, ignore hot spot wireless connections that I have warned my customers about.

At what point in the ISP -> backbone -> ISP connection is it realistic to think that the traffic is being monitored and that passwords are captured to be cracked offline?
 
Spartacus said:
Ok, while that may be true, consider the following:

Typical VPN use is an office worker at home who connects to the office for network resources. The worker has cable/dsl and connects to the office which likely is a T1 or maybe cable/dsl for a smaller office. For the moment, ignore hot spot wireless connections that I have warned my customers about.

At what point in the ISP -> backbone -> ISP connection is it realistic to think that the traffic is being monitored and that passwords are captured to be cracked offline?
Click to expand...

The home network is easily the weak in any RAS connection.

The possibility of someone monitoring your network and cracking your passwords are extremely remote, but that doesn't mean that you shouldn't make your connection as secure as possible. Especially if that is what you are paid to do.
 
Overwind said:
No, the vulnerability is that PPTP relies on passwords for security and exposes enough information to crack passwords offline. While current attack tools can only break weak passwords, but there's nothing stopping anyone from using a rainbow table attack capable of breaking strong passwords.
Click to expand...

Realistically, that has to be a highly targeted attack to sniff out the necessary packets to pull off such an attack. If someone were able to "tap" the network that close, in all likelihood they don't need to crack the VPN itself.

Overwind said:
Also keep in mind that breaking the PPTP password on PPTP VPN hosted by a Windows server will also get you the user's Windows login password. That would be a problem if the password broken happens to belong to an administrator.
Click to expand...

Which is why we don't allow users to have such permissions in the first place.

Overwind said:
In contrast, IPsec and OpenVPN don't transmit any password information until after a certificate-based secured channel has been established. The strength of IPSec or OpenVPN passwords (if passwords are used at all) has no effect on the resistance of the VPN to eavesdropping, replay, MITM, or other attacks.
Click to expand...

However, IPSEC cannot transverse NAT devices unless they employ NAT-T. IPSEC without NAT-T requires a direct connection to the internet in which the risks of having a computer directly exposed (IMO) negate the benefits of using IPSEC since the workstation itself could be compromised much easier than the VPN connection.

Jiffylush said:
The home network is easily the weak in any RAS connection.

The possibility of someone monitoring your network and cracking your passwords are extremely remote, but that doesn't mean that you shouldn't make your connection as secure as possible. Especially if that is what you are paid to do.
Click to expand...

Security is not that simple and nor is it 100%. While you can always make resources more secure, that has a tendency to make the resource more difficult to use and maintain. A balance must be maintained between many things like budgets, business requirements, risks, usability, and functionality.
 
SJConsultant said:
Realistically, that has to be a highly targeted attack to sniff out the necessary packets to pull off such an attack. If someone were able to "tap" the network that close, in all likelihood they don't need to crack the VPN itself.



Which is why we don't allow users to have such permissions in the first place.



However, IPSEC cannot transverse NAT devices unless they employ NAT-T. IPSEC without NAT-T requires a direct connection to the internet in which the risks of having a computer directly exposed (IMO) negate the benefits of using IPSEC since the workstation itself could be compromised much easier than the VPN connection.



Security is not that simple and nor is it 100%. While you can always make resources more secure, that has a tendency to make the resource more difficult to use and maintain. A balance must be maintained between many things like budgets, business requirements, risks, usability, and functionality.
Click to expand...


QFT!!!! The vast majority of people are not hosting Thermonuclear Missile launch codes...

Security is always a primary concern for the average small/medium business customer, but rarely at the cost of functionality or budget. Regardless of the security concerns, when was the last time that a customer TRULY followed your security suggestions? What's the difference between the assumption of sniffing packet on the local LAN to acquire a uid/password and just lifting up a user's keyboard to find their password of the month they had written down after you advised them not to? The real world is not black and white, it's a balance of grey.
 
You must log in or register to reply here.
Back
Top