Mask authentication port

Concealing TCP or UDP ports can mean that requests from servers (e.g. mail servers) to authenticate users are no longer answered correctly. Requests from the server run into a timeout, and the delivery of the mails is delayed considerably.

Even with TCP stealth mode enabled, the firewall detects a station's intention to connect to a mail server. The port required for the authentication request is then opened briefly (for 20 seconds).

This behavior of the firewall in TCP stealth mode can be suppressed specifically with the parameter “Always mask authentication port too”.

Note: Activating the option “Always mask authentication port too” can lead to considerable delays in sending and receiving e-mails or news.

A mail or news server that requests any additional information from the user first runs into a disturbing timeout before it starts to deliver the mails. This service thus needs its own switch to hide it while remaining compliant.

The problem is that a setting that hides all of the ports but issues rejects from the ident port is nonsensical, simply because these rejects (i.e. destination unreachable) reveal the presence of the device.

In order to solve this problem, the device has the option of rejecting ident requests from mail and news servers only. Requests from all other computers are simply dropped. To this end, requests sent to a mail (SMTP, POP3, IMAP2) or news server (NNTP) cause ident requests from the respective servers to be rejected for a brief period (20 seconds).

When the time has expired, the port is hidden again.

www.lancom-systems.com

LANCOM Systems GmbH | A Rohde & Schwarz Company | Adenauerstr. 20/B2 | 52146 Wuerselen | Germany | E‑Mail info@lancom.de

LANCOM Logo