Firewall Wizards mailing list archives

Re: Application Intelligent vs ALG

From: Rama krishna prasad <rkp () intotoinc com>
Date: Wed, 25 Jun 2003 00:31:02 +0530

Hi,

I don't how different vendors do this. But, I would like to indicateon typical functionality implemented in different modules (We also

        do this)
        ALGs (Application Layer Gateways): ALGs are typically used
            - to detect and modify the internal IP address and Ports with
              the NAT address and new port. This is useful in NAPT and
              one-to-one NAT.
           -  to open  temporary doors for further incoming and outgoing
              connections/sessions. Example protocols are FTP, H.323,
              RTSP etc.. In these cases, based on the IP address and port
              information in the data payload of control connections, temporary
              doors are opened. These doors are closed upon control connection
              close OR/AND upon inactivity.

              Since, this requires application intelligence, some filtering decisions
              can be made. That is what some firewall vendors use. For example,
              to implement FTP ALG, command extraction and responses have to
              be collected. It makes it simple to provide intelligence on command
              filtering and file name filtering.

         In some cases, even though there is no ALG required, similar concept
         can be used to filter out application information.

Note that, ALGs are typically handled at the network layer and act onper packet basis. Some times it becomes difficult to make filteringdecision as multiple packets have to be buffered.

         Application proxies: In those cases, application proxies help as these terminate connection

and make new connection to other end. Here, proxies get full controlof the packets and only after making access control decisions, then onlydata can be transferred to other end.But the disadvantage of application proxies is that client applications should know

         the presence of proxy.

         Transparent proxies:
          This is like application proxies in that they terminate the connection and make new connection
           to the peer. But, here the client need not know the presence of proxies.
           When the packets pass through the device, they pass on the packets to the application
           layer. Several TCP/IP stacks provide functionality of terminating the connection

even though the packets are not destined to the device.But in this case, as in application proxies, will have source IP of the connection to the peer

          as proxy device. Due to this the server might think that all connections are coming from
          single device. Due to this the inline Firewalls OR QOS devices might not be able to use
          original source in their policy decisions.

          To avoid problems associated with transparent proxy and at the same giving the

functionality and control of proxies, new breed of technology is introduced i.e Pseudoproxies. We take advantage of this.


         Pseudo Proxies:  In this, original end point IP addresses are not changed by the
         proxy device. It is like ALG, but with superior functionality. We also call it as
         Proxy ALG.

     Regards
     Rama Krishna Prasad.



Frederick M Avolio wrote:

A fancy proxy.
Three different people from Check Point wrote me in response to arecent column of mine, basically asking me if I had heard of this newfeature.
I replied with a brief history. In short: Firewall-1 comes on thescene, most FW1 users implement it with modules from the TIS FWTK (foradding user authentication to FTP and TELNET), Check Point's marketingsays proxies are old technology, stateful inspection is the nextgeneration of firewall technology (before the term became a productname), people persisted in using proxies, CP added "security servers"(proxies by another name), and now this.
I asked them, how is this different from application gateways(security proxies). I applaud the addition of them (like there areother hybrid firewalls). But none of the three folks from CP repliedto me.
I have no agenda, except the truth. (Boy, is this guy noble, or what?:-)) I'd like to know the answer to this: How this is different thanapplication gateways (if it is), and why is it better than Sidewinder,Firebox, Raptor, et al.
Fred
Avolio Consulting, Inc.
16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
+1 410-309-6910 (voice) +1 410-309-6911 (fax)
http://www.avolio.com/
PGP Key Fingerprint:    928D 0903 934F 8CFA 6124
                        BBF6 0B45 93C7 3521 CEA0

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Application Intelligent vs ALG SimonChan (Jun 22)
- Re: Application Intelligent vs ALG Frederick M Avolio (Jun 23)
  - Re: Application Intelligent vs ALG Tony Miedaner (Jun 24)
  - Re: Application Intelligent vs ALG Shimon Silberschlag (Jun 24)
    - Re: Application Intelligent vs ALG Adam Shostack (Jun 25)
  - Re: Application Intelligent vs ALG Volker Tanger (Jun 24)
  - Re: Application Intelligent vs ALG ark (Jun 25)
  - Re: Application Intelligent vs ALG Rama krishna prasad (Jun 25)
- Re: Application Intelligent vs ALG Tony Miedaner (Jun 24)
- <Possible follow-ups>
- Re: Application Intelligent vs ALG SimonChan (Jun 27)