Using PPTP with Other Security Measures
What we’ve covered so far are the basic steps for setting up a VPN using PPTP. The viability of VPNs is directly affected by security measures implemented on the destination LAN. PPTP is a protocol like any other, and must be allowed to pass through (or bypass) a firewall or proxy server in order to work successfully.
How to Allow PPTP Through Firewalls
Like most IP-based tunneling protocols, PPTP operates on a specific IP port—in this case, TCP port 1723. On your firewall or filter, you’ll want to allow IP access to and from that port for your RAS server. If your firewall also filters by protocol, you’ll need to allow GRE (IP protocol 47) to pass through. It’s a good idea to block every other port off on your RAS server, especially the nefarious NetBIOS name service, datagram, and session ports of 137, 138, and 139. These ports can be used to browse the NetBIOS names and shares of the machines on your network.
Fixed IP addresses
Since remote PPTP users will be dialing in through ISPs, they may not always have the same IP address. This eliminates the possibility of host-based filtering and means that a PPTP VPN will rely strictly on its user-based authentication system. A fixed IP address, where a user will be assigned the same IP address every time they dial in, is a way around this problem. Some ISPs offer a fixed IP address as an account add-on for a nominal monthly fee. If available, this is a great way to enhance security by allowing ...
Get Virtual Private Networks, Second Edition now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
