[pptp-server] State-based Firewall and VPN Server on One Box?

Chuck Flink cwf at infosecana.com
Fri Jan 14 11:13:59 CST 2000 

Eric,
I noted Matt Ramsay's reference to the NETtel box from www.moretonbay.com
which seems to be a direct competitor for the RampNet WebRamp products I
referenced.  Issue: value of having Linux vrs whatever (probably another
UNIX
clone) as the internal software/firmware.  Check for an article I'll be
posting by
the end of the day at:  www.infosecana.com/flinkink

As far as "basic" is concerned, I was refering to the fact that a NAT box is
NOT
a stateful proxy firewall.  There are attacks on simple packet filtering
firewalls like
a NAT box with ipchains, but then there are attacks on anything if you
invest
enough time/energy into it.  Moreton Bay describes their NAT box as a
"firewall"
while RampNet distinguishes a more expensive model, beyond NAT, as it's
"firewall" product.  Both are correct in concept, but differ in degree.

I view NAT boxes with incoming packet filtering as a reasonably "basic"
firewall.
Deciding if you need more protection than this requires a risk analysis and
takes
time.  But certainly, if you want Internet access from your LAN and don't
want
to go to the expense of a proxy server, NAT is a nice compromise.

Now as far as Windows 2000 (W2K) NAT and VPN is concerned, I have to
admit that I jumped the gun on one issue:  Professional vrs Server.  NAT and
PPTP VPNs can coexist on W2K Server by virtue of being able to configure
a PPTP filter for NAT equivalent to the masq_pptp module for Linux mentioned
elsewhere on this list.  (NO SUCH FILTER can exist for IPsec secured VPNs.)
I jumped the gun when I implied that W2K Pro automatically configured a PPTP
mask/filter for PPTP.  The Pro product hides more of the configuration,
trying to
automate the setup by hiding NAT behind the concept of "Internet Connection
Sharing".  It's not yet clear to me if simply configuring ICS and PPTP
together
on the Pro release "does the right thing".  I'll get back to this next week.

Note that all W2K versions include IPsec, L2TP and PPTP VPN support,
optional routing and some form of packet filtering.  The Pro version
supports
blanket incoming packet filtering (i.e. blocks access to designated service
ports
from any remote address) while the Server model is much more flexible (I
think
functionally equivalent to ipchains, but I may be overstating it.)

More later.  -Chuck Flink   www.infosecana.com

----- Original Message -----
From: "Robinson, Eric R." <erobinson at dot.state.nv.us>
To: "'Chuck Flink'" <cwf at att.net>; "Robinson, Eric R."
<erobinson at dot.state.nv.us>; <pptp-server at lists.schulte.org>
Sent: Thursday, January 13, 2000 7:34 PM
Subject: RE: [pptp-server] State-based Firewall and VPN Server on One Box?


> When you say you're using W2K for a "NAT/PPTP basic firewall," does that
> mean it's providing VPN services as well? Ans what do you mean by "basic?"
>
> Looking forward to some expansion on that part.
>
> --Eric
>
> -----Original Message-----
> From: Chuck Flink [mailto:cwf at infosecana.com]
> Sent: Thursday, January 13, 2000 2:34 PM
> To: Robinson, Eric R.; pptp-server at lists.schulte.org
> Subject: Re: [pptp-server] State-based Firewall and VPN Server on One
> Box?
>
>
> Check out www.rampnet.com products.  I used an early one for demand-
> dialed ISDN (128k) access to MSN for a couple of years and found it a
quite
> satisfactory NAT for a half-dozen developers in my lab.  It was then about
> $600.  Today, if they arn't a good bit cheaper, it's because sales are
> holding
> the price up.  It should be as cheap or cheaper than what you can make
> on your own... no disk, no floppy, remote admin from any PC on your LAN,
> built-in 10BaseT hub, etc.  Mine was about the size of a cable modem.
> (I see they now have a more expensive models designated as firewalls.)
>
> Don't get me wrong:  I love Linux and look forward to there being a well
> packaged single-floppy Linux with NAT, PPTP, etc.  ....and it's coming.
> But if you want to buy something off-the-shelf that supports PPTP, NAT,
> additional firewall features, etc. from a concern that's been around
> for a while, I recommend this one.
>
> P.S.  I'm looking forward to seeing the other postings on this.  I'm
> currently
> using a RC-2 Windows 2000 Pro as a NAT/PPTP basic firewall box
> connected to RoadRunner.  It works great and was easy to setup.  Once
> the Feb release date comes, I hope to switch to using one of my old 486
> PCs as a Linux/NAT/pptp box and want to hear it's easy to do.
>
> - Chuck Flink   www.infosecana.com/flinkink
>
> ----- Original Message -----
> From: "Robinson, Eric R." <erobinson at dot.state.nv.us>
> To: <pptp-server at lists.schulte.org>
> Sent: Thursday, January 13, 2000 3:56 PM
> Subject: [pptp-server] State-based Firewall and VPN Server on One Box?
>
>
> > Greetings,
> >
> > I've been "lurking" on this list for a while and now I have a question
for
> > the assembly.
> >
> > I'm looking for a nice, clean, single-box Linux solution for state-based
> > firewalling, true NAT and VPN services for Windows clients. What is your
> > opinion? Can that be done? Is PoPtoP part of the answer?
> >
> > When I say "true NAT," I mean that external addresses must be statically
> > mappable to internal hosts, and it must not matter whether the external
> > addresses are public or private.
> >
> > I'd really like to hear some detailed opinions on this one.
> >
> > --
> > Eric Robinson
> > Network Analyst
> > Nevada DOT
> >
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulte.org!
> >
> >
>
>

More information about the pptp-server mailing list