Application Layer Gateways

• Previous message (by thread): Application Layer Gateways
• Next message (by thread): Application Layer Gateways
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Sep 21, 2017 at 8:12 PM Colton Conor <colton.conor at gmail.com> wrote:

> Working with an ISP, we recently deployed Comtrend VDSL routers, and
> Alcatel-Lucent GPON ONTs. Both of these devices uses chipsets made by
> Broadcom, and as such probably use the same underlying Broadcom operating
> system if I had to guess. They are different chipsets though as one is from
> VDSL2, and the other for GPON
>
> By default, the Comtrend had the following Firewall -- ALG/Pass-Throughs
> enabled:
>
> FTP
> H323
> IPSec
> IRC
> PPTP
> RTSP
> SIP
> TFTP
>
> On the Acatel-Lucent (Nokia) ONT, the following came enabled by default
> from the factory:
>
> FTP
> H323
> IPSEC
> L2TP
> PPTP
> RTSP
> SIP
> TFTP
>
>
> The only difference between these two is the Comtrend has an IRC as a ALG,
> and Acatel has L2TP as a protocol type. The other seven ALG protocols as
> the same.
>
> My question is in general, is it a good idea to disable all Application
> Layer Gateways?
>

Yes. ALG are frequently too smart for their own good.



> The only ALG I have had experience with was a SIP ALG. Almost all SIP
> providers strongly recommend you disable SIP ALGs as it does more harm and
> breaks more things than it does good, so we always disable SIP ALG. But
> what about the other protocols on these two? Do you think they should be
> enabled or disabled by default?
>
> I am leaning towards disabling them all for our standard config.
>

• Previous message (by thread): Application Layer Gateways
• Next message (by thread): Application Layer Gateways
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]