Best Practices for Securing PPTP

Point-to-Point Tunneling Protocol, or PPTP, is a common and popular form of VPN. It is simple to configure and supports situations where multiple clients will NAT through a single IP address to reach one or more VPN devices. Most any modern operating system has built-in support for PPTP, making it a very easy solution to implement.

PPTP encapsulates traffic on port 1723 through the use of GRE or Generic Routing Encapsulation. This basically means that a client establishes a tunnel via a single port that will allow traffic of any type and any port to travel through this tunnel. This gives PPTP client's full access into a network by routing traffic at the PPTP VPN device between the tunnel and the rest of the network.

In the past, PPTP got a bit of a bad reputation for its security. This was an issue with MS-CHAP v1 that allowed for the potential for a "man in the middle" attack. This issue was fixed in MS-CHAP v2. Similarly, the 14-character password limitation of MS-CHAP v1 was also fixed in v2.

Using PPTP in Parallel with a Firewall

It is a fairly common practice to install a VPN device in parallel with the firewall. This is to say that both the firewall and the VPN device have an interface that is connected directly to the Internet. Remote VPN users connect directly to the VPN device and their traffic does not pass through the firewall. This is especially common for PPTP implementations due to the fact that PPTP traffic cannot normally be translated to an internal host via Network Address Translation. Without specific proxy type support for PPTP, the PPTP VPN device requires a routable IP address on the Internet in order to function correctly. Some modern firewalls allow a DMZ function where any undefined traffic will default to a particular device. This effectively places the device outside the firewalls and negates the normal protection provided by the firewall. If this method of passing traffic is employed it should be treated as though it was in parallel with the firewall as opposed to being connected in serial.

This parallel configuration requires that the VPN device itself be well hardened and secured. Careful monitoring of the device will also help to ensure that it is not compromised. Appropriate port filtering and security templates should be applied to the PPTP device where appropriate.

One advantage of the VPN in parallel with the firewall is that it offloads traffic from the firewall, resulting in a smaller load on the firewall. Configuration of the VPN is also simpler because there is no configuration of the firewall necessary. This configuration can also reduce the number of licenses needed for the firewall because each VPN connection doesn't use up an outgoing session license.

If a PPTP device is going to be run in parallel with the firewall, it is preferable for the device to be a dedicated VPN device with a dedicated operating system. If the PPTP device runs a full operating system, such as Windows Server 2003 RRAS, it is recommended you configure the following items on the Advanced TCP/IP Settings as shown in Figure 18.2 for the network adapter:

• Disable all nonessential services

• Enable TCP/IP Port filtering on the external facing NIC

• Allow only TCP port 1723

• Allow only protocol 47 (GRE)

• Enable logging on the PPTP server

• Do not allow unencrypted passwords (PAP)

• Require MS-CHAP v2

• Allow EAP methods MD5, PEAP, and smartcard or other certificate

Using PPTP in Series with a Firewall

If the firewall supports it, there are numerous security advantages to placing the PPTP VPN device in series with a firewall. The concept of layering security is a popular one and the philosophy works well with VPNs. In addition to being able to secure the local VPN device as was described in the previous section, "PPTP in Parallel with Firewall," having the firewall in series and ahead of the VPN device enables you to filter traffic at the firewall as well. In this way, before the VPN device could be attacked , the firewall would first have to be compromised. Anything that increases the time necessary to compromise a system increases the overall security of an environment.

Most modern Application Layer firewalls, Proxy Level firewalls and Port Filtering firewalls will work very well with PPTP. When supported, PPTP can be passed through a firewall as well as be translated to an Internet host via Network Address Translation. This allows smaller companies with a single IP address to map PPTP services through a firewall back to an internal VPN device.

PPTP Client Requirements

To make a PPTP virtual private network (VPN) connection, you must first have an Internet connection. If a system tries to make a VPN connection before it has an Internet connection, it will likely experience a noticeable delay, perhaps 60 seconds, and then receive an error message stating that there was no response or that something is wrong with the modem or other communication device.

Some common issues with the use of PPTP connections include the following:

• An incorrect or missing account name

• An incorrect or missing password

• Insufficient level of encryption chosen

• An incorrect or missing PPTP remote access policy

• Insufficient dial-in rights for the user

• Blocking PPTP at the firewall at the client side

• Use of Network Address Translation at the server side

Leveraging Remote Access Policies

For a common policy, you must choose the following:

• An access method:

  VPN access

  Dial-up access

  Wireless access

  Ethernet

• Whether to grant access permissions by user or by group .

• Authentication methods

• Levels of allowed encryption (depending on the access method selected)

For a custom policy, you must configure the following:

• A set of policy conditions

• Whether remote access permission for the policy is granted or denied

• Remote access policy profile settings