Problem solve Get help with specific problems with your technologies, process and projects.

VPNs and personal firewalls

We're thinking about using the PPTP VPN client because it's cheap and it doesn't require client installation, but what makes me wonder is the matter of personal firewalling. I believe the PPTP client doesn't include a Firewall, but I can make some IP restrictions in my VPN server so that no traffic is sent or received from the VPN client to the server with a destination or source IP address, respectively, other than the VPN client's one. That's not enough of a firewalling now, is it? Can I administer remotely the client's filters with no additional cost? What are my choices?

Thank you in advance for your help in this matter.
Best regards,
When Windows PPTP clients connect to a VPN server, they create a virtual interface that is added to the PC's routing table. Unless the user modifies this default route, all outbound traffic will be sent across the PPTP tunnel as long as the tunnel stays up. For example, here is part of a routing table before PPTP is connected:

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
Default Gateway:

Here is part of that same routing table after PPTP is connected and is dynamically-assigned to the VPN client:

Active Routes:
Network Destination        Netmask          Gateway       Interface  Metric
Default Gateway:

This new default route controls outbound traffic to everywhere except the local LAN. However, as you point out, it does not explicitly permit or deny inbound traffic like a "personal firewall" would.

Windows 2000, Windows XP Pro, and *NIX operating systems all include firewalling features. For example, Windows XP Pro incorporates a very basic Internet Connection Firewall (ICF). To enable ICF, go to the Advanced tab of any Internet-facing network connection, check the box labeled "Protect my computer and network by limiting or preventing access to this computer from the Internet", then click the "Settings" button. You will see three tabs that configure the open listening ports for services running on the PC (FTP, HTTP, etc), whether the PC will listen to or send ICMP (ping, redirect, etc), and whether the PC will log connections and/or dropped packets. However, Microsoft recommends against enabling ICF on VPN connections because it interferes with the tunneling protocol used by PPTP.

Another option is third-party personal firewall software like ISS BlackICE, InfoExpress CyberArmor, Sygate Personal Firewall Pro, Symantec Norton Personal Firewall, and Zone Labs Zone Alarm Pro. All of these are commercial products, but the basic Zone Alarm and Sygate firewalls are available for free to individuals for personal use. You'll need to tweak the firewall configuration to permit PPTP - for example, by adding the PPTP server to ZoneAlarm's Local Zone.

Many personal firewalls can be used by themselves, configured by the end user on just one computer. However, the firewall "agents" which underly the products listed above can also be centrally-configured for deployment to remote workers. For example, ISS RealSecure Desktop Protector is BlackICE firewall software running on each desktop, configured and monitored by an ICEcap Manager back at the NOC. Another example is the Zone Labs Integrity desktop client, integrated with the VPN client used by Cisco 3000 VPN Concentrators, supervised by a central Zone Labs' Java-based Integrity server. Of course, these enterprise desktop firewall suites are not free - they all require some investment in both software licenses and administration.

This question was answered by Lisa Phifer.

This was last published in September 2002

Dig Deeper on Network Administration

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.