Re: [fw-wiz] Application Intelligent vs ALG
From: Rama krishna prasad (rkp_at_intotoinc.com)
To: Frederick M Avolio <email@example.com> Date: Wed, 25 Jun 2003 00:31:02 +0530
I don't how different vendors do this. But, I would like to indicate
on typical functionality implemented in different modules (We also
ALGs (Application Layer Gateways): ALGs are typically used
- to detect and modify the internal IP address and Ports with
the NAT address and new port. This is useful in NAPT and
- to open temporary doors for further incoming and outgoing
connections/sessions. Example protocols are FTP, H.323,
RTSP etc.. In these cases, based on the IP address and port
information in the data payload of control connections, temporary
doors are opened. These doors are closed upon control connection
close OR/AND upon inactivity.
Since, this requires application intelligence, some filtering decisions
can be made. That is what some firewall vendors use. For example,
to implement FTP ALG, command extraction and responses have to
be collected. It makes it simple to provide intelligence on command
filtering and file name filtering.
In some cases, even though there is no ALG required, similar concept
can be used to filter out application information.
Note that, ALGs are typically handled at the network layer and act on
per packet basis. Some times it becomes difficult to make filtering
decision as multiple packets have to be buffered.
Application proxies: In those cases, application proxies help as these terminate connection
and make new connection to other end. Here, proxies get full control
of the packets and only after making access control decisions, then only
data can be transferred to other end.
But the disadvantage of application proxies is that client applications should know
the presence of proxy.
This is like application proxies in that they terminate the connection and make new connection
to the peer. But, here the client need not know the presence of proxies.
When the packets pass through the device, they pass on the packets to the application
layer. Several TCP/IP stacks provide functionality of terminating the connection
even though the packets are not destined to the device.
But in this case, as in application proxies, will have source IP of the connection to the peer
as proxy device. Due to this the server might think that all connections are coming from
single device. Due to this the inline Firewalls OR QOS devices might not be able to use
original source in their policy decisions.
To avoid problems associated with transparent proxy and at the same giving the
functionality and control of proxies, new breed of technology is introduced i.e Pseudo
proxies. We take advantage of this.
Pseudo Proxies: In this, original end point IP addresses are not changed by the
proxy device. It is like ALG, but with superior functionality. We also call it as
Rama Krishna Prasad.
Frederick M Avolio wrote:
> A fancy proxy.
> Three different people from Check Point wrote me in response to a
> recent column of mine, basically asking me if I had heard of this new
> I replied with a brief history. In short: Firewall-1 comes on the
> scene, most FW1 users implement it with modules from the TIS FWTK (for
> adding user authentication to FTP and TELNET), Check Point's marketing
> says proxies are old technology, stateful inspection is the next
> generation of firewall technology (before the term became a product
> name), people persisted in using proxies, CP added "security servers"
> (proxies by another name), and now this.
> I asked them, how is this different from application gateways
> (security proxies). I applaud the addition of them (like there are
> other hybrid firewalls). But none of the three folks from CP replied
> to me.
> I have no agenda, except the truth. (Boy, is this guy noble, or what?
> :-)) I'd like to know the answer to this: How this is different than
> application gateways (if it is), and why is it better than Sidewinder,
> Firebox, Raptor, et al.
> Avolio Consulting, Inc.
> 16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
> +1 410-309-6910 (voice) +1 410-309-6911 (fax)
> PGP Key Fingerprint: 928D 0903 934F 8CFA 6124
> BBF6 0B45 93C7 3521 CEA0
> firewall-wizards mailing list
firewall-wizards mailing list