Don't let hackers target your network
My June article, "Point-to-Point Tunneling Protocol," showed you
how to build a Virtual Private Network (VPN) using Microsoft's Point-to-Point
Tunneling Protocol (PPTP). By following the configuration outlined in that
article, you can set up a Remote Access Service (RAS)/PPTP server on your
network, and give your clients secure, encrypted access to your internal network
via the Internet.
Now that you have implemented a PPTP solution, have you increased your
network's security accordingly? If you haven't had a chance to re-evaluate your
security policy, or if you are interested in making your network more secure,
this article will give you some basic tips on how to protect your network from
intrusions.
Reach Out and Touch Someone
As I mentioned in the June article, you can dial up your PPTP connection by
using either an IP address or a fully qualified domain name in the phone number
field of the Dial-Up Networking (DUN) dialog box. Fully qualified domain names
simplify navigating and finding things on the Internet. This capability is great
when you're surfing Web sites and other public systems. However, making things
easier to find is not a desirable feature for your private network.
Let's say, that you've just built a RAS/PPTP server for your users that has
a public Internet address of 172.16.1.1 (this address is an example, and is not
a valid public Internet address). To simplify configuring connections for your
users, you create the fully qualified domain name PPTP.yourcompany.com and
put this address into the Domain Name System (DNS) on the Internet, pointing to
address 172.16.1.1.
DNS is the "phone book" of the Internet. By providing a name
resolution service for anyone on the Internet, DNS lets you enter user-friendly
names instead of IP numbers to connect to sites. For example, when you ask your
browser to connect to http://www.winntmag.com, your PC--if it doesn't already
know which IP address to use--sends a query to the DNS server defined in its
TCP/IP configuration. The DNS server receives the query, "Hi, what number
do I use to contact www.winntmag.com?" The server replies, "The IP
number is 204.56.55.202."
As a result, DNS is more of a convenience than a necessity, and the
Internet can technically function without it. All the computer needs to navigate
the Internet is the correct IP address to establish a connection with. You can
observe this connection by accessing Windows NT Magazine's home page by
entering the IP address instead of its name. Point your browser to http://204.56.55.202,
and watch the page load. Although this method works, no one wants
to remember the IP addresses of all the Web sites they need, so DNS acts as a
helpful human-oriented navigation tool.
Too Much of a Good Thing
Helpful, however, is not a good thing when your network has public access
points. After all, you wouldn't request listings of your standard dial-up lines
in your local white pages. Nevertheless,
creating a descriptive DNS entry for your PPTP server amounts to the same
type of thing. As a matter of fact, creating a descriptive entry is even worse,
because this information is usually easier to find than phone book listings.
Suppose that I'm an unscrupulous hacker who wants to get into your network.
Using publicly available records on the Internet and a correctly configured DNS
server, I can find all the systems in your network that have associated DNS
entries and their IP addresses. If I stumble across an entry called
PPTP.yourcompany.com, this address gives me a significant clue as to what is
waiting at that address, how to connect with that system, and what to expect
once I've connected. Fortunately, most DNS servers will not surrender this
information unless you configure them to do so.
After successfully negotiating a connection to your PPTP server, my final
step is to find a username and password combination that lets me access your
network. Having good internal security policies in place can help you deter this
attack; the best security is not letting unauthorized users get to a point where
they can attempt a logon validation. After all, you wouldn't let a complete
stranger walk into your building, sit down at a PC, and start attempting logons,
would you?
Conceal the Obvious
So how can you protect yourself from such attacks? Don't make a DNS entry
for your PPTP server. Without a DNS entry, a hacker will have difficulty
determining whether a certain IP address belongs to a server, workstation,
printer, or some other device.
If you absolutely must create a DNS entry for the server, consider using an
obscure name such as EARTH.yourcompany.com, or something that doesn't
provide any clues as to the function of the device assigned to this address. To
create confusion, people name their servers after planets, Santa's reindeer, the
Seven Dwarfs, Star Trek characters, and so on. The more ambiguous the
server name, the better.
For the public to access your Web site, you want to keep systems such as
your Web server at www.yourcompany.com and your FTP server at ftp.yourcompany.com.
However, anything that you don't want the general public to access needs to
have an obscure name or no name (DNS entry) at all.
Play Dead
Configure the PPTP server to accept only PPTP packets: Select the Enable
PPTP Filtering check box in the Advanced IP Addressing dialog box, as shown in
Screen 1. If you select this option, your system will not respond to any ping or
tracert packets, which makes that IP address look unused. A common routine for
determining which systems are on a network is to do a net scan of a block of IP
addresses and see which systems respond. If your PPTP server doesn't respond, a
less-skilled hacker will breeze right past your system, leaving it untouched.
The flip side of the coin is that you won't be able to ping the PPTP server
as a matter of routine troubleshooting techniques. You will need to implement
other methods of remotely troubleshooting that system (such as a standard
dial-in port) so that you can check the server from inside your network.
Previous
Register
Our Toronto, Ontario, office has Windows NT workstations A, B, C, and D and NT server XX on a LAN connected to the Internet via a router and ISDN. Our Calgary, Alberta, office has NT workstations P, Q, R, and S and NT server YY on a LAN connected to the Internet via a router and ISDN. My home has NT server ZZ connected to the Internet via a cable company.
I can connect ZZ to YY with PPTP so that ZZ sees P, Q, R, S, and YY, but only YY sees ZZ. The other machines P, Q, R, and S cannot see ZZ. We tried installing WINS on YY, but it doesn’t seem to help. Can A, B, C, D, P, Q, R, S, XX, YY, and ZZ look like a LAN using PPTP, or do I need to start from scratch and buy new hardware?<br>
--Peter Thompson<br><br>
<i>You need Microsoft’s Routing and Remote Access Service (RRAS) update (formerly code-named Steelhead). Basic RAS/PPTP is a solution for client to server connections only—it doesn’t handle servers that need to communicate with servers. You’ll need fixed IP addresses at each site (which doesn’t sound like a problem in your case), which you can do with either dial-up or nailed-up connections. My article, “Create a Virtual Private Network with RRAS,” page 169, details how to set up this configuration.<br>
--Douglas Toombs</i>
Peter Thompson August 13, 1999