[pptp-server] State-based Firewall and VPN Server on One Box?

Robinson, Eric R. erobinson at dot.state.nv.us
Fri Jan 14 23:15:49 CST 2000 

Hi Chuck,

I always start by dreaming up exactly what I want, then backing off as the
realities pile on. I want maximum security and clean VPN services for
Windows clients on a single box, and I want it, um, FREE, and I want it NOW.
Plus, I want to add some Linux to my resume. 

Hence the search for a Linux. It's mostly free. It's downloadable now. (I'm
seriously considering the Webramp 700s product, but one of the main things
holding me back is that it just wouldn't be as FUN.)

Adrian suggested in an earlier message that the answer is PoPToP and
Netfilter. What do you think about that?

Also, you seem to imply that IPSec-based VPNs and NAT can't exist on the
same box, whereas PPTP-based VPNs and NAT can. I think I must have
misunderstood you. I can't think of a reason why IPSec and NAT shouldn't be
compatible. Theoretically, the box should examine the IP packet to see
whether it contains an IPSec payload. If it does, it hands it off to the VPN
software, which strips the IP header, decrypts the ESP, and forwards the
recovered packet to the internal network. If the IP packet does NOT contain
an ESP, the box hands it off to the firewall software, which checks the
destination address against its NAT table. If it matches a NAT mapping, it
then applies the filter list and state information against it. Finally, it
replaces the destination with the internal address from the NAT table and
forwards it to the internal network. Is that not how it works?

--Eric


-----Original Message-----
From: Chuck Flink [mailto:cwf at infosecana.com]
Sent: Friday, January 14, 2000 9:21 AM
To: Robinson, Eric R.; pptp-server at lists.schulte.org
Subject: Re: [pptp-server] State-based Firewall and VPN Server on One
Box?


Eric,
I noted Matt Ramsay's reference to the NETtel box from www.moretonbay.com
which seems to be a direct competitor for the RampNet WebRamp products I
referenced.  Issue: value of having Linux vrs whatever (probably another
UNIX
clone) as the internal software/firmware.  Check for an article I'll be
posting by
the end of the day at:  www.infosecana.com/flinkink

As far as "basic" is concerned, I was refering to the fact that a NAT box is
NOT
a stateful proxy firewall.  There are attacks on simple packet filtering
firewalls like
a NAT box with ipchains, but then there are attacks on anything if you
invest
enough time/energy into it.  Moreton Bay describes their NAT box as a
"firewall"
while RampNet distinguishes a more expensive model, beyond NAT, as it's
"firewall" product.  Both are correct in concept, but differ in degree.

I view NAT boxes with incoming packet filtering as a reasonably "basic"
firewall.
Deciding if you need more protection than this requires a risk analysis and
takes
time.  But certainly, if you want Internet access from your LAN and don't
want
to go to the expense of a proxy server, NAT is a nice compromise.

Now as far as Windows 2000 (W2K) NAT and VPN is concerned, I have to
admit that I jumped the gun on one issue:  Professional vrs Server.  NAT and
PPTP VPNs can coexist on W2K Server by virtue of being able to configure
a PPTP filter for NAT equivalent to the masq_pptp module for Linux mentioned
elsewhere on this list.  (NO SUCH FILTER can exist for IPsec secured VPNs.)
I jumped the gun when I implied that W2K Pro automatically configured a PPTP
mask/filter for PPTP.  The Pro product hides more of the configuration,
trying to
automate the setup by hiding NAT behind the concept of "Internet Connection
Sharing".  It's not yet clear to me if simply configuring ICS and PPTP
together
on the Pro release "does the right thing".  I'll get back to this next week.

Note that all W2K versions include IPsec, L2TP and PPTP VPN support,
optional routing and some form of packet filtering.  The Pro version
supports
blanket incoming packet filtering (i.e. blocks access to designated service
ports
from any remote address) while the Server model is much more flexible (I
think
functionally equivalent to ipchains, but I may be overstating it.)

More later.  -Chuck Flink   www.infosecana.com

----- Original Message -----
From: "Robinson, Eric R." <erobinson at dot.state.nv.us>
To: "'Chuck Flink'" <cwf at att.net>; "Robinson, Eric R."
<erobinson at dot.state.nv.us>; <pptp-server at lists.schulte.org>
Sent: Thursday, January 13, 2000 7:34 PM
Subject: RE: [pptp-server] State-based Firewall and VPN Server on One Box?


> When you say you're using W2K for a "NAT/PPTP basic firewall," does that
> mean it's providing VPN services as well? Ans what do you mean by "basic?"
>
> Looking forward to some expansion on that part.
>
> --Eric
>
> -----Original Message-----
> From: Chuck Flink [mailto:cwf at infosecana.com]
> Sent: Thursday, January 13, 2000 2:34 PM
> To: Robinson, Eric R.; pptp-server at lists.schulte.org
> Subject: Re: [pptp-server] State-based Firewall and VPN Server on One
> Box?
>
>
> Check out www.rampnet.com products.  I used an early one for demand-
> dialed ISDN (128k) access to MSN for a couple of years and found it a
quite
> satisfactory NAT for a half-dozen developers in my lab.  It was then about
> $600.  Today, if they arn't a good bit cheaper, it's because sales are
> holding
> the price up.  It should be as cheap or cheaper than what you can make
> on your own... no disk, no floppy, remote admin from any PC on your LAN,
> built-in 10BaseT hub, etc.  Mine was about the size of a cable modem.
> (I see they now have a more expensive models designated as firewalls.)
>
> Don't get me wrong:  I love Linux and look forward to there being a well
> packaged single-floppy Linux with NAT, PPTP, etc.  ....and it's coming.
> But if you want to buy something off-the-shelf that supports PPTP, NAT,
> additional firewall features, etc. from a concern that's been around
> for a while, I recommend this one.
>
> P.S.  I'm looking forward to seeing the other postings on this.  I'm
> currently
> using a RC-2 Windows 2000 Pro as a NAT/PPTP basic firewall box
> connected to RoadRunner.  It works great and was easy to setup.  Once
> the Feb release date comes, I hope to switch to using one of my old 486
> PCs as a Linux/NAT/pptp box and want to hear it's easy to do.
>
> - Chuck Flink   www.infosecana.com/flinkink
>
> ----- Original Message -----
> From: "Robinson, Eric R." <erobinson at dot.state.nv.us>
> To: <pptp-server at lists.schulte.org>
> Sent: Thursday, January 13, 2000 3:56 PM
> Subject: [pptp-server] State-based Firewall and VPN Server on One Box?
>
>
> > Greetings,
> >
> > I've been "lurking" on this list for a while and now I have a question
for
> > the assembly.
> >
> > I'm looking for a nice, clean, single-box Linux solution for state-based
> > firewalling, true NAT and VPN services for Windows clients. What is your
> > opinion? Can that be done? Is PoPtoP part of the answer?
> >
> > When I say "true NAT," I mean that external addresses must be statically
> > mappable to internal hosts, and it must not matter whether the external
> > addresses are public or private.
> >
> > I'd really like to hear some detailed opinions on this one.
> >
> > --
> > Eric Robinson
> > Network Analyst
> > Nevada DOT
> >
> > _______________________________________________
> > pptp-server maillist  -  pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulte.org!
> >
> >
>
>


_______________________________________________
pptp-server maillist  -  pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
List services provided by www.schulte.org!

More information about the pptp-server mailing list