[pptp-server] GRE protocol - security

Paul Boyer paul.boyer at paulboyer.org
Tue Aug 17 12:56:21 CDT 1999


Kurt Vlaminck wrote:
> 
> Hello,
> 
> I am new to this mailing list so apologise if this questions has already
> been treated.
> 
> I saw that you need to open the GRE protocol in both ways
> (outgoing/incoming) when implementing a PPTP server behind a firewall. Is't
> this a security issue as you have to open ports into both directions?

Security is what it is all about.
Not only it is a "hole" in the firewall policy, but also the VPN host
encrypt the connection so that the firewall can not see what it's in.
What's more, it is a complete routing protocol that is embeded in it so
that internal machines can communicate freely with external machines
through this link !!!!

The point is what do you want ?

The firewall will make sure the GRE connection is only possible from VPN
hosts to VPN hosts. This will be enforced by the firewall, and only
that.

Now, the security of the system is the security of the weakest point in
the system, so take a look to the VPN hosts :
* the Linux PoPToP server can be made serious about security. It can
also be wide open, this depend on your system security settings.
Authenticate strongly (strong passwords or tokens), give only the needed
rights to users (the VPN can allow/deny connections, the poptop server
can limit rights users have on the filesystem), strenghten your system
(listen to bugtraq and other vulnerability disclosure lists, apply
necessary patches _FAST_, separate your distinct functionnality, don't
put a web server on a poptop server !!, etc.) and... _WATCH OUT_ (read,
and/or parse yours logs, monitor your machines, your users, your data
and your hardware)

* The MS-Windows machine can be made reasonably difficult to get into
for a beginner, and up to difficult to get into for a medium skilled
hacker/cracker. No more ;-(

* The user may or may not be able to understand basic security needs and
avoid deliberate risky attitude such as run any downloaded software :-[

The conclusion is this one: you open a secure channel in order to give
access to your network to machines that...are of little security. The
point of entry is not the firewall. Neither is it the poptop server. The
entry to your network is your remote user and its weak laptop full of
trojans and backdoors.

> I need to be sure when opening these ports on the firewall that this
> protocol on port 47 is completely safe.

> 
> Pse comments are more than welcome.
> 
[there was a very nice .signature here ;-) ]

Paul Boyer




More information about the pptp-server mailing list