Working with an ISP, we recently deployed Comtrend VDSL routers, and Alcatel-Lucent GPON ONTs. Both of these devices uses chipsets made by Broadcom, and as such probably use the same underlying Broadcom operating system if I had to guess. They are different chipsets though as one is from VDSL2, and the other for GPON By default, the Comtrend had the following Firewall -- ALG/Pass-Throughs enabled: FTP H323 IPSec IRC PPTP RTSP SIP TFTP On the Acatel-Lucent (Nokia) ONT, the following came enabled by default from the factory: FTP H323 IPSEC L2TP PPTP RTSP SIP TFTP The only difference between these two is the Comtrend has an IRC as a ALG, and Acatel has L2TP as a protocol type. The other seven ALG protocols as the same. My question is in general, is it a good idea to disable all Application Layer Gateways? The only ALG I have had experience with was a SIP ALG. Almost all SIP providers strongly recommend you disable SIP ALGs as it does more harm and breaks more things than it does good, so we always disable SIP ALG. But what about the other protocols on these two? Do you think they should be enabled or disabled by default? I am leaning towards disabling them all for our standard config.
On Thu, Sep 21, 2017 at 8:12 PM Colton Conor <colton.conor@gmail.com> wrote:
Working with an ISP, we recently deployed Comtrend VDSL routers, and Alcatel-Lucent GPON ONTs. Both of these devices uses chipsets made by Broadcom, and as such probably use the same underlying Broadcom operating system if I had to guess. They are different chipsets though as one is from VDSL2, and the other for GPON
By default, the Comtrend had the following Firewall -- ALG/Pass-Throughs enabled:
FTP H323 IPSec IRC PPTP RTSP SIP TFTP
On the Acatel-Lucent (Nokia) ONT, the following came enabled by default from the factory:
FTP H323 IPSEC L2TP PPTP RTSP SIP TFTP
The only difference between these two is the Comtrend has an IRC as a ALG, and Acatel has L2TP as a protocol type. The other seven ALG protocols as the same.
My question is in general, is it a good idea to disable all Application Layer Gateways?
Yes. ALG are frequently too smart for their own good.
The only ALG I have had experience with was a SIP ALG. Almost all SIP providers strongly recommend you disable SIP ALGs as it does more harm and breaks more things than it does good, so we always disable SIP ALG. But what about the other protocols on these two? Do you think they should be enabled or disabled by default?
I am leaning towards disabling them all for our standard config.
So you do recommend we disable them all? Just not sure why big vendors like Alcatel and Comtrend would have them enabled by default if they do more harm than good? On Thu, Sep 21, 2017 at 11:02 PM, Ca By <cb.list6@gmail.com> wrote:
On Thu, Sep 21, 2017 at 8:12 PM Colton Conor <colton.conor@gmail.com> wrote:
Working with an ISP, we recently deployed Comtrend VDSL routers, and Alcatel-Lucent GPON ONTs. Both of these devices uses chipsets made by Broadcom, and as such probably use the same underlying Broadcom operating system if I had to guess. They are different chipsets though as one is from VDSL2, and the other for GPON
By default, the Comtrend had the following Firewall -- ALG/Pass-Throughs enabled:
FTP H323 IPSec IRC PPTP RTSP SIP TFTP
On the Acatel-Lucent (Nokia) ONT, the following came enabled by default from the factory:
FTP H323 IPSEC L2TP PPTP RTSP SIP TFTP
The only difference between these two is the Comtrend has an IRC as a ALG, and Acatel has L2TP as a protocol type. The other seven ALG protocols as the same.
My question is in general, is it a good idea to disable all Application Layer Gateways?
Yes. ALG are frequently too smart for their own good.
The only ALG I have had experience with was a SIP ALG. Almost all SIP providers strongly recommend you disable SIP ALGs as it does more harm and breaks more things than it does good, so we always disable SIP ALG. But what about the other protocols on these two? Do you think they should be enabled or disabled by default?
I am leaning towards disabling them all for our standard config.
On Sat, Sep 23, 2017 at 7:13 AM Colton Conor <colton.conor@gmail.com> wrote:
So you do recommend we disable them all?
Yes. A good rule of thumb is to turn off any feature you do not need. If you find customers complain, you can turn it on one by one. The reverse is not true, once the ALG is on you will be affraid you might break something if you turn it off Just not sure why big vendors like Alcatel and Comtrend would have them
enabled by default if they do more harm than good?
Turns out vendors focus on building and selling gear but are not experienced in running networks
On Thu, Sep 21, 2017 at 11:02 PM, Ca By <cb.list6@gmail.com> wrote:
On Thu, Sep 21, 2017 at 8:12 PM Colton Conor <colton.conor@gmail.com> wrote:
Working with an ISP, we recently deployed Comtrend VDSL routers, and Alcatel-Lucent GPON ONTs. Both of these devices uses chipsets made by Broadcom, and as such probably use the same underlying Broadcom operating system if I had to guess. They are different chipsets though as one is from VDSL2, and the other for GPON
By default, the Comtrend had the following Firewall -- ALG/Pass-Throughs enabled:
FTP H323 IPSec IRC PPTP RTSP SIP TFTP
On the Acatel-Lucent (Nokia) ONT, the following came enabled by default from the factory:
FTP H323 IPSEC L2TP PPTP RTSP SIP TFTP
The only difference between these two is the Comtrend has an IRC as a ALG, and Acatel has L2TP as a protocol type. The other seven ALG protocols as the same.
My question is in general, is it a good idea to disable all Application Layer Gateways?
Yes. ALG are frequently too smart for their own good.
The only ALG I have had experience with was a SIP ALG. Almost all SIP providers strongly recommend you disable SIP ALGs as it does more harm and breaks more things than it does good, so we always disable SIP ALG. But what about the other protocols on these two? Do you think they should be enabled or disabled by default?
I am leaning towards disabling them all for our standard config.
On 09/23/2017 07:47 AM, Ca By wrote:
On Sat, Sep 23, 2017 at 7:13 AM Colton Conor <colton.conor@gmail.com> wrote:
Just not sure why big vendors like Alcatel and Comtrend would have them enabled by default if they do more harm than good? Turns out vendors focus on building and selling gear but are not experienced in running networks
I don't have any quarrel with your statement about experience with running networks, but I would surmise the real reason is that same one that caused Microsoft to turn on so much Bad Stuff(tm) in Windows by default: reduction in tech support calls. How many times have you read a manual cover-to-cover for a new piece of equipment before doing ANYTHING with it? Especially when the manual is on CD-ROM, and the PDFs take up about 500 MB of the 700 MB of available space. I have yet to find a piece of network gear that has a "cheat sheet" that bullet-lists all the options (and perhaps a 25-word description) and where in the manual to find how to turn it on/off. Even better would be a collection of canned configuration files, from "absolute minimum" (EVERYTHING turned off) to "all the bells and whistles enabled". Note that this corresponds to the concept of "mostly closed" firewalls and "mostly open" firewalls. I've seen model configuration files in Unix/Linux where all the defaults (which constitutes an absolute minimum of turned-on options) are shown in comments, so that you can just go through the config and turn on exactly what you need.
What you do with the CPE "firewall" settings depends on what sort of ISP you are. Do you cater to geeks or aunts/grand mothers? Whatever you do, I would suggest that you document in a place that is easy for customers to find exactlyt what apps/protocols are open/closed with the settings you've decided on (especially if it deviates from any documentation available on the net for that device) You could consider configuring it by default to protect the aunts and grand mothers, but make sure geeks get the info on how to easily open ports for their apps. Also depends on what you block at the network level. If you block all incoming calls to port 25, then blocking it at the CPE router won't add much resilience against attacks as it is already blocked.
participants (4)
-
Ca By -
Colton Conor -
Jean-Francois Mezei -
Stephen Satchell