LANCOM Systems recommends deactivating unused "Application Layer Gateways" (ALG), also with regard to security vulnerabilities such as "NAT Slipstream", or restricting communication between the ALGs.
This article describes which ALGs run on LCOS devices and how to deactivate or restrict these.
Before deactivating or restricting the ALGs, check whether your software is using any of the associated protocols.
|
The FTP ALG cannot be deactivated. However, the behavior can be changed so that the ALG has no port open for incoming communications, as would be the case with “Active FTP” or with FXP. Although this parameter can also be set via LANconfig or in the configuration tree in WEBconfig, the description there is slightly misleading. LANCOM Systems recommends you carry out the configuration via the console or via the LCOS menu tree in WEBconfig. |
Use SSH to connect to the device command-line interface (CLI) and enter the following command:
set Setup/IP-Router/Firewall/Applications/FTP/FTP-Block off ; set Setup/IP-Router/Firewall/Applications/FTP/Active-FTP-Block always ; set Setup/IP-Router/Firewall/Applications/FTP/FXP-Block always
These parameters are explained in the With WEBconfig section. |
1) Open the menu (Extras) → LCOS Menu Tree → Setup → IP router → Firewall → Applications → FTP.
2) Open the parameter Active-FTP-Block, select the the drop-down menu option always and click on Send. This prevents the use of communications via active FTP and only allows the use of passive FTP.
3) Open the parameter FTP-Block and make sure the option is set to off. This means that FTP communication is generally possible.
4) Open the parameter FXP-Block, select the the drop-down menu option always and click on Send. FXP (file exchange protocol) supports both active and passive communication and therefore needs to be blocked (also see Active-FTP-Block).
Via CLI:
Connect to the device CLI via SSH and enter the command set Setup/IP-Router/Firewall/Applications/H.323/H.323-Support no.
With WEBconfig:
The IRC ALG cannot be deactivated. However, the behavior can be changed so that the ALG has no port open for incoming communications, as is the case with communication via DCC. For historical reasons, the name in LCOS is DDC and not DCC. Although this parameter can also be set via LANconfig or in the configuration tree in WEBconfig, the description there is slightly misleading. LANCOM Systems recommends you carry out the configuration via the console or via the LCOS menu tree in WEBconfig. |
Via CLI:
Use SSH to connect to the device command-line interface (CLI) and enter the following command:
set Setup/IP-Router/Firewall/Applications/IRC/IRC-Block off ; set Setup/IP-Router/Firewall/Applications/IRC/DDC-Block always
These parameters are explained in the With WEBconfig section. |
With WEBconfig:
1) Open the menu (Extras) → LCOS Menu Tree → Setup → IP router → Firewall → Applications → IRC.
2) Open the parameter DDC-Block, select the the drop-down menu option always and click on Send. This prevents direct communication between two IRC clients via DCC (Direct Client-to-Client).
3) Open the parameter IRC-Block and make sure the option is set to off. This means that IRC communication is generally possible.
With LANconfig:
In LANconfig, switch to the menu Miscellaneous Services → Services and make sure that the checkbox for SIP-ALG activated is not checked.
With WEBconfig:
In WEBconfig, switch to the menu Configuration → Miscellaneous Services → Services and make sure that the checkbox for SIP-ALG activated is not checked.