DNS and PPTP for Network Security

Don't let hackers target your network

My June article, "Point-to-Point Tunneling Protocol," showed youhow to build a Virtual Private Network (VPN) using Microsoft's Point-to-PointTunneling Protocol (PPTP). By following the configuration outlined in thatarticle, you can set up a Remote Access Service (RAS)/PPTP server on yournetwork, and give your clients secure, encrypted access to your internal networkvia the Internet.

Now that you have implemented a PPTP solution, have you increased yournetwork's security accordingly? If you haven't had a chance to re-evaluate yoursecurity policy, or if you are interested in making your network more secure,this article will give you some basic tips on how to protect your network fromintrusions.

Reach Out and Touch Someone
As I mentioned in the June article, you can dial up your PPTP connection byusing either an IP address or a fully qualified domain name in the phone numberfield of the Dial-Up Networking (DUN) dialog box. Fully qualified domain namessimplify navigating and finding things on the Internet. This capability is greatwhen you're surfing Web sites and other public systems. However, making thingseasier to find is not a desirable feature for your private network.

Let's say, that you've just built a RAS/PPTP server for your users that hasa public Internet address of 172.16.1.1 (this address is an example, and is nota valid public Internet address). To simplify configuring connections for yourusers, you create the fully qualified domain name PPTP.yourcompany.com andput this address into the Domain Name System (DNS) on the Internet, pointing toaddress 172.16.1.1.

DNS is the "phone book" of the Internet. By providing a nameresolution service for anyone on the Internet, DNS lets you enter user-friendlynames instead of IP numbers to connect to sites. For example, when you ask yourbrowser to connect to http://www.winntmag.com, your PC--if it doesn't alreadyknow which IP address to use--sends a query to the DNS server defined in itsTCP/IP configuration. The DNS server receives the query, "Hi, what numberdo I use to contact www.winntmag.com?" The server replies, "The IPnumber is 204.56.55.202."

As a result, DNS is more of a convenience than a necessity, and theInternet can technically function without it. All the computer needs to navigatethe Internet is the correct IP address to establish a connection with. You canobserve this connection by accessing Windows NT Magazine's home page byentering the IP address instead of its name. Point your browser to http://204.56.55.202,and watch the page load. Although this method works, no one wantsto remember the IP addresses of all the Web sites they need, so DNS acts as ahelpful human-oriented navigation tool.

Too Much of a Good Thing
Helpful, however, is not a good thing when your network has public accesspoints. After all, you wouldn't request listings of your standard dial-up linesin your local white pages. Nevertheless,

creating a descriptive DNS entry for your PPTP server amounts to the sametype of thing. As a matter of fact, creating a descriptive entry is even worse,because this information is usually easier to find than phone book listings.

Suppose that I'm an unscrupulous hacker who wants to get into your network.Using publicly available records on the Internet and a correctly configured DNSserver, I can find all the systems in your network that have associated DNSentries and their IP addresses. If I stumble across an entry calledPPTP.yourcompany.com, this address gives me a significant clue as to what iswaiting at that address, how to connect with that system, and what to expectonce I've connected. Fortunately, most DNS servers will not surrender thisinformation unless you configure them to do so.

After successfully negotiating a connection to your PPTP server, my finalstep is to find a username and password combination that lets me access yournetwork. Having good internal security policies in place can help you deter thisattack; the best security is not letting unauthorized users get to a point wherethey can attempt a logon validation. After all, you wouldn't let a completestranger walk into your building, sit down at a PC, and start attempting logons,would you?

Conceal the Obvious
So how can you protect yourself from such attacks? Don't make a DNS entryfor your PPTP server. Without a DNS entry, a hacker will have difficultydetermining whether a certain IP address belongs to a server, workstation,printer, or some other device.

If you absolutely must create a DNS entry for the server, consider using anobscure name such as EARTH.yourcompany.com, or something that doesn'tprovide any clues as to the function of the device assigned to this address. Tocreate confusion, people name their servers after planets, Santa's reindeer, theSeven Dwarfs, Star Trek characters, and so on. The more ambiguous theserver name, the better.

For the public to access your Web site, you want to keep systems such asyour Web server at www.yourcompany.com and your FTP server at ftp.yourcompany.com.However, anything that you don't want the general public to access needs tohave an obscure name or no name (DNS entry) at all.

Play Dead
Configure the PPTP server to accept only PPTP packets: Select the EnablePPTP Filtering check box in the Advanced IP Addressing dialog box, as shown inScreen 1. If you select this option, your system will not respond to any ping ortracert packets, which makes that IP address look unused. A common routine fordetermining which systems are on a network is to do a net scan of a block of IPaddresses and see which systems respond. If your PPTP server doesn't respond, aless-skilled hacker will breeze right past your system, leaving it untouched.

The flip side of the coin is that you won't be able to ping the PPTP serveras a matter of routine troubleshooting techniques. You will need to implementother methods of remotely troubleshooting that system (such as a standarddial-in port) so that you can check the server from inside your network.

Build Walls
Consider a firewall for your network if you are connecting it to theInternet. When you really want to get creative, you can buy two firewalls andbuild a Demilitarized Zone (DMZ, Figure 1) such a zone of systems protected between twoseparate firewalls, is shown in Screen 1. Although this option is moreexpensive than a single firewall, it is the most secure. Your public servers,such as your Web and FTP servers, sit between the two firewalls, open to thepublic but controlled by the first firewall. If an intruder breaches thesecurity on the first firewall, the second firewall takes over. Security isusually tighter on the second firewall than on the first.

Private Property
Another method to protect your network is to use private network addressesfor most of your internal network. The Internet Assigned Numbers Authority(IANA) has reserved several address ranges for corporations to use for theirinternal networks. These ranges (10.0.0.0 to 10.255.255.255, 172.16.0.0 to172.31.255.255, and 192.168.0.0 to 192.168.255.255) are blocked at every routeron the Internet, so no direct connections can exist between external systems andstations on your internal network. This method is great for protection, but itcan be a hindrance for your users because the converse is also true--users can'tconnect to Web sites and FTP sites.

If you have a large network with an IP subnet infrastructure, changing toprivate IP addresses is no small task. However, if your organization isn't usingTCP/IP yet, think about using private IP addresses for some or all of yourinternal network.

You will need to set up a proxy server or Network Address Translator (NAT)to handle all your Internet communications, such as Web browsing and FTPsessions. Microsoft's Proxy Server, an extension to Internet Information Server(IIS) is an excellent choice because it integrates directly into the NT securitysystem to let you control outbound access based on username or group membership.Some leading firewall packages will also perform proxy services.

Any systems that need to reside in both the public and private world willneed to have two network cards for communications. For example, an Exchangeserver running Internet Mail Server (Simple Mail Transfer Protocol--SMTPservice) needs to communicate with the Internet as a whole on one network card,and with your internal network on the other card.

As a precaution, make sure that IP routing is disabled by selecting ControlPanel, Networks and clicking on the Protocols tab. Open the properties forTCP/IP, and select the Routing tab. Verify that the check box for IP forwardingis not selected. For more information on private IP addresses, refer to InterNICRFC 1597 at http://www.internic.net/rfc/rfc1597.txt.

Lock the Front Gate, but Don't Stop There
All of these methods will protect you on the outside. But, as I heard onefirewall expert explain, strong external security with lax internal securitywill make your network "crunchy on the outside with a soft chewy center onthe inside." A lack of internal security is equivalent to locking the frontdoor of your house and leaving all the inside doors wide open. You assume thatafter someone has entered the front door, the visitor is trusted to roam thehouse freely. Obviously that's not a very safe assumption in networking.

As someone who is responsible for a network, you are probably very securityconscious. However, in some organizations, I've seen security policies stretchedor tossed aside in the name of ease-of-use for end users. Connecting yournetwork to the Internet can be a good political opportunity to step up yoursecurity a few more notches.

Some of NT's basic security policies are necessary in your network. Thesepolicies include requiring password changes every 30 days to 45 days, enablingaccount lockouts, and demanding minimum password lengths. Additionally,increasing auditing to include failed logon attempts and security policy changeswill help troubleshoot problems, but logging an event after it happens is areactive step, not a proactive one. Clearly, you don't want to have to log anyevents if at all possible.

Next, secure your Guest account by disabling it. Unless you need thisaccount, you have no reason for it to be active. Also, secure your Administratoraccount, but if your system is still prone to a RedButton attack (for moreinformation about RedButton, see Mark Minasi, "NT Security Scares?,"July 1997), an outsider (with no access whatsoever) will still be able todetermine your Administrator account name, even if you have renamed it. You canblock access to ports 137, 138, and 139 on any machines exposed to the Internetto help prevent this attack, and apply Service Pack 3 (SP3), which lets yourestrict anonymous user access.

Also, look at some of your service process accounts such as a replicationuser or a Microsoft Mail or Exchange service account. Although these accountsneed a higher level of security in your system, they do not need Administratorrights.

You will probably want to obscure these account names. People use somecommon names for these accounts based on what they have read in NT books orMicrosoft training classes. Do yourself a favor, be creative when naming youraccounts. And by all means, do not let the password be the same as the username(don't laugh, I've seen this mistake at some very large organizations).

Take Security Seriously

Even if you follow all the steps I've listed, see the "Security Checklist," and have a myriad of firewalls protecting yournetwork, you'll never achieve 100 percent security as long as you're connectedto the Internet. If legitimate users can access the network from the outside,illegitimate users can get in--this fact is the nature of remote access. Yourorganization probably dealt with this issue (or should have) when you addeddial-in lines to your network. For information about token-based securityauthentication systems, see Ben Rothke, "Token-Based Security Add-ons,"June 1997.

With the recent security issues that NT has faced, unauthorized access intoyour network is something you don't want to take lightly. Be aware that someprograms can pose a significant security risk for you and your network. As longas you keep a good internal and external security policy, monitor your eventlogs and firewall logs, and obscure system names, you will protect yourself fromall but the most hardened of attackers.