Thank you in advance for your help in this matter.
When Windows PPTP clients connect to a VPN server, they create a virtual interface that is added to the PC's routing table. Unless the user modifies this default route, all outbound traffic will be sent across the PPTP tunnel as long as the tunnel stays up. For example, here is part of a routing table before PPTP is connected:
Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.100 192.168.1.15 30 Default Gateway: 192.168.1.100 Here is part of that same routing table after PPTP is connected and 192.168.2.1 is dynamically-assigned to the VPN client: Active Routes: Network Destination Netmask Gateway Interface Metric 0.0.0.0 0.0.0.0 192.168.1.100 192.168.1.15 31 0.0.0.0 0.0.0.0 192.168.2.1 192.168.2.1 1 Default Gateway: 192.168.2.1
This new default route controls outbound traffic to everywhere except the local LAN. However, as you point out, it does not explicitly permit or deny inbound traffic like a "personal firewall" would.
Windows 2000, Windows XP Pro, and *NIX operating systems all include firewalling features. For example, Windows XP Pro incorporates a very basic Internet Connection Firewall (ICF). To enable ICF, go to the Advanced tab of any Internet-facing network connection, check the box labeled "Protect my computer and network by limiting or preventing access to this computer from the Internet", then click the "Settings" button. You will see three tabs that configure the open listening ports for services running on the PC (FTP, HTTP, etc), whether the PC will listen to or send ICMP (ping, redirect, etc), and whether the PC will log connections and/or dropped packets. However, Microsoft recommends against enabling ICF on VPN connections because it interferes with the tunneling protocol used by PPTP.
Another option is third-party personal firewall software like ISS BlackICE, InfoExpress CyberArmor, Sygate Personal Firewall Pro, Symantec Norton Personal Firewall, and Zone Labs Zone Alarm Pro. All of these are commercial products, but the basic Zone Alarm and Sygate firewalls are available for free to individuals for personal use. You'll need to tweak the firewall configuration to permit PPTP - for example, by adding the PPTP server to ZoneAlarm's Local Zone.
Many personal firewalls can be used by themselves, configured by the end user on just one computer. However, the firewall "agents" which underly the products listed above can also be centrally-configured for deployment to remote workers. For example, ISS RealSecure Desktop Protector is BlackICE firewall software running on each desktop, configured and monitored by an ICEcap Manager back at the NOC. Another example is the Zone Labs Integrity desktop client, integrated with the VPN client used by Cisco 3000 VPN Concentrators, supervised by a central Zone Labs' Java-based Integrity server. Of course, these enterprise desktop firewall suites are not free - they all require some investment in both software licenses and administration.
This question was answered by Lisa Phifer.
This was first published in September 2002