Re: [fw-wiz] Application Intelligent vs ALG
From: Volker Tanger (volker.tanger_at_discon.de)
Date: 06/24/03
- Previous message: Bruce Smith: "Re: [fw-wiz] PIX Failover Questions"
- In reply to: Frederick M Avolio: "Re: [fw-wiz] Application Intelligent vs ALG"
- Next in thread: ark_at_eltex.net: "Re: [fw-wiz] Application Intelligent vs ALG"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Frederick M Avolio <fred@avolio.com> Date: Tue, 24 Jun 2003 10:22:46 +0200
Greetings!
On Mon, 23 Jun 2003 09:18:19 -0400 Frederick M Avolio <fred@avolio.com>
wrote:
>
> I asked them, how is this different from application gateways
> (security proxies). I applaud the addition of them (like there are
> other hybrid firewalls).
Brief overview at http://www.wyae.de/docs/gateways.php
There is a basic difference between inspection and proxies/ALGs:
Inspection modules only observe the passing data flow, maximal flipping
a bit (later more on this), but no insertion or deletion of data within
the packet stream happens. They just sit and wait - if something foul
comes to their eyes, they simply cut the connection. So this technique
theoretically is faster than ALGs.
For HTML CheckPoint can "filter" HTML tags - they just flip the first
character after the < into a bogus one (a question mark, IIRC) thus
rendering the tag invalid. All the remaining code stays unchanged in
the transmitted data stream.
ALGs re-package the data stream. The network traffic ends at the
firewall, a new connection (often with "fake" source IP) is opened and
only the data is transferred from the one to the other connection. With
this adding, modifying or deleting data (e.g. HTML or SMTP headers) is a
piece of cake, deleting data even is faster than with other techniques
(drop that part, just don't re-package). Plus fancy playing with IP
header data as attack will automagically end at the ALG as it opens a
new, clean connection on the other side of the FW. No need to filter in
the IP header. NAT hiding comes for free, too, as comes migration
between protocols (IPv4-IPv6, HTTP-HTTPS, etc), depending only on the
ALG's configurability.
Bye
Volker Tanger
IT-Security
discon gmbh
DeTeWe AG & Co. KG
Fon +49 30 6104-3307
Fax +49 30 6104-3435
http://www.detewe.de/
--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Bruce Smith: "Re: [fw-wiz] PIX Failover Questions"
- In reply to: Frederick M Avolio: "Re: [fw-wiz] Application Intelligent vs ALG"
- Next in thread: ark_at_eltex.net: "Re: [fw-wiz] Application Intelligent vs ALG"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
