Firewall Wizards mailing list archives
Re: Application Intelligent vs ALG
From: Rama krishna prasad <rkp () intotoinc com>
Date: Wed, 25 Jun 2003 00:31:02 +0530
Hi,I don't how different vendors do this. But, I would like to indicate on typical functionality implemented in different modules (We also
do this) ALGs (Application Layer Gateways): ALGs are typically used - to detect and modify the internal IP address and Ports with the NAT address and new port. This is useful in NAPT and one-to-one NAT. - to open temporary doors for further incoming and outgoing connections/sessions. Example protocols are FTP, H.323, RTSP etc.. In these cases, based on the IP address and port information in the data payload of control connections, temporary doors are opened. These doors are closed upon control connection close OR/AND upon inactivity. Since, this requires application intelligence, some filtering decisions can be made. That is what some firewall vendors use. For example, to implement FTP ALG, command extraction and responses have to be collected. It makes it simple to provide intelligence on command filtering and file name filtering. In some cases, even though there is no ALG required, similar concept can be used to filter out application information.Note that, ALGs are typically handled at the network layer and act on per packet basis. Some times it becomes difficult to make filtering decision as multiple packets have to be buffered.
Application proxies: In those cases, application proxies help as these terminate connectionand make new connection to other end. Here, proxies get full control of the packets and only after making access control decisions, then only data can be transferred to other end. But the disadvantage of application proxies is that client applications should know
the presence of proxy. Transparent proxies: This is like application proxies in that they terminate the connection and make new connection to the peer. But, here the client need not know the presence of proxies. When the packets pass through the device, they pass on the packets to the application layer. Several TCP/IP stacks provide functionality of terminating the connectioneven though the packets are not destined to the device. But in this case, as in application proxies, will have source IP of the connection to the peer
as proxy device. Due to this the server might think that all connections are coming from single device. Due to this the inline Firewalls OR QOS devices might not be able to use original source in their policy decisions. To avoid problems associated with transparent proxy and at the same giving thefunctionality and control of proxies, new breed of technology is introduced i.e Pseudo proxies. We take advantage of this.
Pseudo Proxies: In this, original end point IP addresses are not changed by the proxy device. It is like ALG, but with superior functionality. We also call it as Proxy ALG. Regards Rama Krishna Prasad. Frederick M Avolio wrote:
A fancy proxy.Three different people from Check Point wrote me in response to a recent column of mine, basically asking me if I had heard of this new feature.I replied with a brief history. In short: Firewall-1 comes on the scene, most FW1 users implement it with modules from the TIS FWTK (for adding user authentication to FTP and TELNET), Check Point's marketing says proxies are old technology, stateful inspection is the next generation of firewall technology (before the term became a product name), people persisted in using proxies, CP added "security servers" (proxies by another name), and now this.I asked them, how is this different from application gateways (security proxies). I applaud the addition of them (like there are other hybrid firewalls). But none of the three folks from CP replied to me.I have no agenda, except the truth. (Boy, is this guy noble, or what? :-)) I'd like to know the answer to this: How this is different than application gateways (if it is), and why is it better than Sidewinder, Firebox, Raptor, et al.Fred Avolio Consulting, Inc. 16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US +1 410-309-6910 (voice) +1 410-309-6911 (fax) http://www.avolio.com/ PGP Key Fingerprint: 928D 0903 934F 8CFA 6124 BBF6 0B45 93C7 3521 CEA0 _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Application Intelligent vs ALG SimonChan (Jun 22)
- Re: Application Intelligent vs ALG Frederick M Avolio (Jun 23)
- Re: Application Intelligent vs ALG Tony Miedaner (Jun 24)
- Re: Application Intelligent vs ALG Shimon Silberschlag (Jun 24)
- Re: Application Intelligent vs ALG Adam Shostack (Jun 25)
- Re: Application Intelligent vs ALG Volker Tanger (Jun 24)
- Re: Application Intelligent vs ALG ark (Jun 25)
- Re: Application Intelligent vs ALG Rama krishna prasad (Jun 25)
- Re: Application Intelligent vs ALG Tony Miedaner (Jun 24)
- <Possible follow-ups>
- Re: Application Intelligent vs ALG SimonChan (Jun 27)
- Re: Application Intelligent vs ALG Frederick M Avolio (Jun 23)