Rule:

--
Sid:
2044

--
Summary:
The Point to Point Tunneling Protocol (PPTP) is used to connect client 
machines to internal corporate resources using a Virtual Private Network
(VPN) across a public network such as the Internet via an encrypted 
session.


--
Impact:
Possible loss of data from an internal network to an unknown external 
source.

--
Detailed Information:
internal resource to an unknown external source. This may be an 
indication of an attempt to initialize an encrypted session for 
nefarious purposes.

An internal user may try to use an encrypted tunnel to evade possible 
detection when transferring files from an internal resource to an 
unauthorized eternal party.

--
Affected Systems:
All systems allowing PPTP connections from an internal to external 
source.

--
Attack Scenarios:
The user only needs to initiate a connection to an external source.

--
Ease of Attack:
Simple

--
False Positives:
None Known

--
False Negatives:
None Known

--
Corrective Action:
Disallow PPTP transactions from the internal LAN to external sources.

--
Contributors:
Sourcefire Research Team
Brian Caswell <bmc@sourcefire.com>
Nigel Houghton <nigel.houghton@sourcefire.com>

--
Additional References:

--
