PPTP Security and Cisco PIX Firewall

Posted on 2005-03-23
Medium Priority
Last Modified: 2013-11-16
This is probably a simple question, but I need to know a little about PPTP and PIX firewall configs.

Currently, I've inherited a PIX firewall that is allowing incoming PPTP connections.  I know that is it not configured to support MPPE encryption. (Which I know how to configure on the PIX)

Now, when a remote user tries to connect to the PPTP VPN through their local machine, it will not connect unless the option 'Require Data Encryption' under the Security tab of the PPTP connection is UNCHECKED.  If the box is checked, the computer will disconnect from the VPN immediately.

Now, does this mean that our users are currently sending data in the clear through the Internet when they connect with their PPTP connections?  Or am I misunderstanding how this works.

Thanks guys!
Question by:sbaylis
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Accepted Solution

pazmanpro earned 2000 total points
ID: 13618336
Yes. Without encryption, pptp is basically a GRE tunnel and someone sniffing the data can see it in clear text unless the data itself was encrypted before going over the tunnel (SSL for example).

My advice do away with the PPTP and use IPSEC instead; or at least use the 128 bit MPPE encryption.

Author Comment

ID: 13619349
That's what I was thinking.  Thanks for the response.

We can't use IPSEC since there are quite a few roaming people with then need for on demand remote access, so I'm going to enable MPPE (although it's not the greatest, it's better than nothing).

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
As a trusted technology advisor to your customers you are likely getting the daily question of, ‘should I put this in the cloud?’ As customer demands for cloud services increases, companies will see a shift from traditional buying patterns to new…
Both in life and business – not all partnerships are created equal. Spend 30 short minutes with us to learn:   • Key questions to ask when considering a partnership to accelerate your business into the cloud • Pitfalls and mistakes other partners…
Suggested Courses

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question