Re: [fw-wiz] Application Intelligent vs ALG

From: Rama krishna prasad (rkp_at_intotoinc.com)
Date: 06/24/03

  • Next message: Dante Fressone: "[fw-wiz] Blocking Kazaa"
    To: Frederick M Avolio <fred@avolio.com>
    Date: Wed, 25 Jun 2003 00:31:02 +0530
    
    

    Hi,
             I don't how different vendors do this. But, I would like to indicate
             on typical functionality implemented in different modules (We also
             do this)
             ALGs (Application Layer Gateways): ALGs are typically used
                 - to detect and modify the internal IP address and Ports with
                   the NAT address and new port. This is useful in NAPT and
                   one-to-one NAT.
                - to open temporary doors for further incoming and outgoing
                   connections/sessions. Example protocols are FTP, H.323,
                   RTSP etc.. In these cases, based on the IP address and port
                   information in the data payload of control connections, temporary
                   doors are opened. These doors are closed upon control connection
                   close OR/AND upon inactivity.

                   Since, this requires application intelligence, some filtering decisions
                   can be made. That is what some firewall vendors use. For example,
                   to implement FTP ALG, command extraction and responses have to
                   be collected. It makes it simple to provide intelligence on command
                   filtering and file name filtering.

              In some cases, even though there is no ALG required, similar concept
              can be used to filter out application information.

              Note that, ALGs are typically handled at the network layer and act on
              per packet basis. Some times it becomes difficult to make filtering
              decision as multiple packets have to be buffered.

              Application proxies: In those cases, application proxies help as these terminate connection
              and make new connection to other end. Here, proxies get full control
              of the packets and only after making access control decisions, then only
              data can be transferred to other end.
              But the disadvantage of application proxies is that client applications should know
              the presence of proxy.

              Transparent proxies:
               This is like application proxies in that they terminate the connection and make new connection
                to the peer. But, here the client need not know the presence of proxies.
                When the packets pass through the device, they pass on the packets to the application
                layer. Several TCP/IP stacks provide functionality of terminating the connection
                even though the packets are not destined to the device.
               But in this case, as in application proxies, will have source IP of the connection to the peer
               as proxy device. Due to this the server might think that all connections are coming from
               single device. Due to this the inline Firewalls OR QOS devices might not be able to use
               original source in their policy decisions.

               To avoid problems associated with transparent proxy and at the same giving the
               functionality and control of proxies, new breed of technology is introduced i.e Pseudo
               proxies. We take advantage of this.

              Pseudo Proxies: In this, original end point IP addresses are not changed by the
              proxy device. It is like ALG, but with superior functionality. We also call it as
              Proxy ALG.

          Regards
          Rama Krishna Prasad.

    Frederick M Avolio wrote:

    > A fancy proxy.
    >
    > Three different people from Check Point wrote me in response to a
    > recent column of mine, basically asking me if I had heard of this new
    > feature.
    >
    > I replied with a brief history. In short: Firewall-1 comes on the
    > scene, most FW1 users implement it with modules from the TIS FWTK (for
    > adding user authentication to FTP and TELNET), Check Point's marketing
    > says proxies are old technology, stateful inspection is the next
    > generation of firewall technology (before the term became a product
    > name), people persisted in using proxies, CP added "security servers"
    > (proxies by another name), and now this.
    >
    > I asked them, how is this different from application gateways
    > (security proxies). I applaud the addition of them (like there are
    > other hybrid firewalls). But none of the three folks from CP replied
    > to me.
    >
    > I have no agenda, except the truth. (Boy, is this guy noble, or what?
    > :-)) I'd like to know the answer to this: How this is different than
    > application gateways (if it is), and why is it better than Sidewinder,
    > Firebox, Raptor, et al.
    >
    >
    > Fred
    > Avolio Consulting, Inc.
    > 16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
    > +1 410-309-6910 (voice) +1 410-309-6911 (fax)
    > http://www.avolio.com/
    > PGP Key Fingerprint: 928D 0903 934F 8CFA 6124
    > BBF6 0B45 93C7 3521 CEA0
    >
    > _______________________________________________
    > firewall-wizards mailing list
    > firewall-wizards@honor.icsalabs.com
    > http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
    >

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Dante Fressone: "[fw-wiz] Blocking Kazaa"

    Relevant Pages

    • Re: [fw-wiz] Application Intelligent vs ALG
      ... state on and got up the ladder to some engineer in New York. ... >proxies are old technology, stateful inspection is the next generation of ... >firewall technology, ... how is this different from application gateways (security ...
      (Firewall-Wizards)
    • Re: [fw-wiz] Application Intelligent vs ALG
      ... Firewall-1 comes on the scene, ... Check Point's marketing says proxies are ... using proxies, CP added "security servers", and ... how is this different from application gateways (security ...
      (Firewall-Wizards)