Application Layer Gateways

• Previous message (by thread): Application Layer Gateways
• Next message (by thread): Application Layer Gateways
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Sep 23, 2017 at 7:13 AM Colton Conor <colton.conor at gmail.com> wrote:

> So you do recommend we disable them all?
>

Yes. A good rule of thumb is to turn off any feature you do not need.  If
you find customers complain, you can turn it on one by one.

The reverse is not true, once the ALG is on you will be affraid you might
break something if you turn it off


Just not sure why big vendors like Alcatel and Comtrend would have them
> enabled by default if they do more harm than good?
>

Turns out vendors focus on building and selling gear but are not
experienced in running networks


> On Thu, Sep 21, 2017 at 11:02 PM, Ca By <cb.list6 at gmail.com> wrote:
>
>>
>> On Thu, Sep 21, 2017 at 8:12 PM Colton Conor <colton.conor at gmail.com>
>> wrote:
>>
>>> Working with an ISP, we recently deployed Comtrend VDSL routers, and
>>> Alcatel-Lucent GPON ONTs. Both of these devices uses chipsets made by
>>> Broadcom, and as such probably use the same underlying Broadcom operating
>>> system if I had to guess. They are different chipsets though as one is
>>> from
>>> VDSL2, and the other for GPON
>>>
>>> By default, the Comtrend had the following Firewall -- ALG/Pass-Throughs
>>> enabled:
>>>
>>> FTP
>>> H323
>>> IPSec
>>> IRC
>>> PPTP
>>> RTSP
>>> SIP
>>> TFTP
>>>
>>> On the Acatel-Lucent (Nokia) ONT, the following came enabled by default
>>> from the factory:
>>>
>>> FTP
>>> H323
>>> IPSEC
>>> L2TP
>>> PPTP
>>> RTSP
>>> SIP
>>> TFTP
>>>
>>>
>>> The only difference between these two is the Comtrend has an IRC as a
>>> ALG,
>>> and Acatel has L2TP as a protocol type. The other seven ALG protocols as
>>> the same.
>>>
>>> My question is in general, is it a good idea to disable all Application
>>> Layer Gateways?
>>>
>>
>> Yes. ALG are frequently too smart for their own good.
>>
>>
>>
>>> The only ALG I have had experience with was a SIP ALG. Almost all SIP
>>> providers strongly recommend you disable SIP ALGs as it does more harm
>>> and
>>> breaks more things than it does good, so we always disable SIP ALG. But
>>> what about the other protocols on these two? Do you think they should be
>>> enabled or disabled by default?
>>>
>>> I am leaning towards disabling them all for our standard config.
>>>
>>
>

• Previous message (by thread): Application Layer Gateways
• Next message (by thread): Application Layer Gateways
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]