Firewall Wizards mailing list archives

Re: Application Intelligent vs ALG

From: "Volker Tanger" <volker.tanger () discon de>
Date: Tue, 24 Jun 2003 10:22:46 +0200

Greetings!

On Mon, 23 Jun 2003 09:18:19 -0400 Frederick M Avolio <fred () avolio com>
wrote:


I asked them, how is this different from application gateways
(security proxies). I applaud the addition of them (like there are
other hybrid firewalls).


Brief overview at http://www.wyae.de/docs/gateways.php

There is a basic difference between inspection and proxies/ALGs:

Inspection modules only observe the passing data flow, maximal flipping
a bit (later more on this), but no insertion or deletion of data within
the packet stream happens. They just sit and wait - if something foul
comes to their eyes, they simply cut the connection. So this technique 
theoretically is faster than ALGs.

For HTML CheckPoint can "filter" HTML tags - they just flip the first
character after the < into a bogus one (a question mark, IIRC) thus
rendering the tag invalid. All the remaining code stays unchanged in 
the transmitted data stream.


ALGs re-package the data stream. The network traffic ends at the
firewall, a new connection (often with "fake" source IP) is opened and
only the data is transferred from the one to the other connection. With
this adding, modifying or deleting data (e.g. HTML or SMTP headers) is a
piece of cake, deleting data even is faster than with other techniques
(drop that part, just don't re-package). Plus fancy playing with IP
header data as attack will automagically end at the ALG as it opens a
new, clean connection on the other side of the FW. No need to filter in
the IP header. NAT hiding comes for free, too, as comes migration
between protocols (IPv4-IPv6, HTTP-HTTPS, etc), depending only on the
ALG's configurability.

Bye

Volker Tanger

IT-Security
discon gmbh
DeTeWe AG & Co. KG

Fon +49 30 6104-3307
Fax +49 30 6104-3435
http://www.detewe.de/

-- 


     

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Application Intelligent vs ALG SimonChan (Jun 22)
- Re: Application Intelligent vs ALG Frederick M Avolio (Jun 23)
  - Re: Application Intelligent vs ALG Tony Miedaner (Jun 24)
  - Re: Application Intelligent vs ALG Shimon Silberschlag (Jun 24)
    - Re: Application Intelligent vs ALG Adam Shostack (Jun 25)
  - Re: Application Intelligent vs ALG Volker Tanger (Jun 24)
  - Re: Application Intelligent vs ALG ark (Jun 25)
  - Re: Application Intelligent vs ALG Rama krishna prasad (Jun 25)
- Re: Application Intelligent vs ALG Tony Miedaner (Jun 24)
- <Possible follow-ups>
- Re: Application Intelligent vs ALG SimonChan (Jun 27)