Working with an ISP, we recently deployed Comtrend VDSL routers, and
Alcatel-Lucent GPON ONTs. Both of these devices uses chipsets made by
Broadcom, and as such probably use the same underlying Broadcom operating
system if I had to guess. They are different chipsets though as one is from
VDSL2, and the other for GPON
By default, the Comtrend had the following Firewall -- ALG/Pass-Throughs
enabled:
FTP
H323
IPSec
IRC
PPTP
RTSP
SIP
TFTP
On the Acatel-Lucent (Nokia) ONT, the following came enabled by default
from the factory:
FTP
H323
IPSEC
L2TP
PPTP
RTSP
SIP
TFTP
The only difference between these two is the Comtrend has an IRC as a ALG,
and Acatel has L2TP as a protocol type. The other seven ALG protocols as
the same.
My question is in general, is it a good idea to disable all Application
Layer Gateways?
The only ALG I have had experience with was a SIP ALG. Almost all SIP
providers strongly recommend you disable SIP ALGs as it does more harm and
breaks more things than it does good, so we always disable SIP ALG. But
what about the other protocols on these two? Do you think they should be
enabled or disabled by default?
I am leaning towards disabling them all for our standard config.
Working with an ISP, we recently deployed Comtrend VDSL routers, and
Alcatel-Lucent GPON ONTs. Both of these devices uses chipsets made by
Broadcom, and as such probably use the same underlying Broadcom operating
system if I had to guess. They are different chipsets though as one is from
VDSL2, and the other for GPON
By default, the Comtrend had the following Firewall -- ALG/Pass-Throughs
enabled:
FTP
H323
IPSec
IRC
PPTP
RTSP
SIP
TFTP
On the Acatel-Lucent (Nokia) ONT, the following came enabled by default
from the factory:
FTP
H323
IPSEC
L2TP
PPTP
RTSP
SIP
TFTP
The only difference between these two is the Comtrend has an IRC as a ALG,
and Acatel has L2TP as a protocol type. The other seven ALG protocols as
the same.
My question is in general, is it a good idea to disable all Application
Layer Gateways?
Yes. ALG are frequently too smart for their own good.
So you do recommend we disable them all? Just not sure why big vendors like
Alcatel and Comtrend would have them enabled by default if they do more
harm than good?
I don't have any quarrel with your statement about experience with
running networks, but I would surmise the real reason is that same one
that caused Microsoft to turn on so much Bad Stuff(tm) in Windows by
default: reduction in tech support calls.
How many times have you read a manual cover-to-cover for a new piece of
equipment before doing ANYTHING with it? Especially when the manual is
on CD-ROM, and the PDFs take up about 500 MB of the 700 MB of available
space.
I have yet to find a piece of network gear that has a "cheat sheet" that
bullet-lists all the options (and perhaps a 25-word description) and
where in the manual to find how to turn it on/off.
Even better would be a collection of canned configuration files, from
"absolute minimum" (EVERYTHING turned off) to "all the bells and
whistles enabled". Note that this corresponds to the concept of "mostly
closed" firewalls and "mostly open" firewalls.
I've seen model configuration files in Unix/Linux where all the defaults
(which constitutes an absolute minimum of turned-on options) are shown
in comments, so that you can just go through the config and turn on
exactly what you need.
What you do with the CPE "firewall" settings depends on what sort of
ISP you are. Do you cater to geeks or aunts/grand mothers?
Whatever you do, I would suggest that you document in a place that is
easy for customers to find exactlyt what apps/protocols are open/closed
with the settings you've decided on (especially if it deviates from any
documentation available on the net for that device)
You could consider configuring it by default to protect the aunts and
grand mothers, but make sure geeks get the info on how to easily open
ports for their apps.
Also depends on what you block at the network level. If you block all
incoming calls to port 25, then blocking it at the CPE router won't add
much resilience against attacks as it is already blocked.