Re: [fw-wiz] Application Intelligent vs ALG

• Previous message: ark_at_eltex.net: "Re: [fw-wiz] Application Intelligent vs ALG"
• In reply to: Frederick M Avolio: "Re: [fw-wiz] Application Intelligent vs ALG"
• Next in thread: Tony Miedaner: "Re: [fw-wiz] Application Intelligent vs ALG"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Frederick M Avolio <fred@avolio.com>
Date: Wed, 25 Jun 2003 00:31:02 +0530

Hi,
         I don't how different vendors do this. But, I would like to indicate
         on typical functionality implemented in different modules (We also
         do this)
         ALGs (Application Layer Gateways): ALGs are typically used
             - to detect and modify the internal IP address and Ports with
               the NAT address and new port. This is useful in NAPT and
               one-to-one NAT.
            - to open temporary doors for further incoming and outgoing
               connections/sessions. Example protocols are FTP, H.323,
               RTSP etc.. In these cases, based on the IP address and port
               information in the data payload of control connections, temporary
               doors are opened. These doors are closed upon control connection
               close OR/AND upon inactivity.

               Since, this requires application intelligence, some filtering decisions
               can be made. That is what some firewall vendors use. For example,
               to implement FTP ALG, command extraction and responses have to
               be collected. It makes it simple to provide intelligence on command
               filtering and file name filtering.

          In some cases, even though there is no ALG required, similar concept
          can be used to filter out application information.

          Note that, ALGs are typically handled at the network layer and act on
          per packet basis. Some times it becomes difficult to make filtering
          decision as multiple packets have to be buffered.

          Application proxies: In those cases, application proxies help as these terminate connection
          and make new connection to other end. Here, proxies get full control
          of the packets and only after making access control decisions, then only
          data can be transferred to other end.
          But the disadvantage of application proxies is that client applications should know
          the presence of proxy.

          Transparent proxies:
           This is like application proxies in that they terminate the connection and make new connection
            to the peer. But, here the client need not know the presence of proxies.
            When the packets pass through the device, they pass on the packets to the application
            layer. Several TCP/IP stacks provide functionality of terminating the connection
            even though the packets are not destined to the device.
           But in this case, as in application proxies, will have source IP of the connection to the peer
           as proxy device. Due to this the server might think that all connections are coming from
           single device. Due to this the inline Firewalls OR QOS devices might not be able to use
           original source in their policy decisions.

           To avoid problems associated with transparent proxy and at the same giving the
           functionality and control of proxies, new breed of technology is introduced i.e Pseudo
           proxies. We take advantage of this.

          Pseudo Proxies: In this, original end point IP addresses are not changed by the
          proxy device. It is like ALG, but with superior functionality. We also call it as
          Proxy ALG.

      Regards
      Rama Krishna Prasad.

Frederick M Avolio wrote:

> A fancy proxy.
>
> Three different people from Check Point wrote me in response to a
> recent column of mine, basically asking me if I had heard of this new
> feature.
>
> I replied with a brief history. In short: Firewall-1 comes on the
> scene, most FW1 users implement it with modules from the TIS FWTK (for
> adding user authentication to FTP and TELNET), Check Point's marketing
> says proxies are old technology, stateful inspection is the next
> generation of firewall technology (before the term became a product
> name), people persisted in using proxies, CP added "security servers"
> (proxies by another name), and now this.
>
> I asked them, how is this different from application gateways
> (security proxies). I applaud the addition of them (like there are
> other hybrid firewalls). But none of the three folks from CP replied
> to me.
>
> I have no agenda, except the truth. (Boy, is this guy noble, or what?
> :-)) I'd like to know the answer to this: How this is different than
> application gateways (if it is), and why is it better than Sidewinder,
> Firebox, Raptor, et al.
>
>
> Fred
> Avolio Consulting, Inc.
> 16228 Frederick Road, PO Box 609, Lisbon, MD 21765, US
> +1 410-309-6910 (voice) +1 410-309-6911 (fax)
> http://www.avolio.com/
> PGP Key Fingerprint: 928D 0903 934F 8CFA 6124
> BBF6 0B45 93C7 3521 CEA0
>
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@honor.icsalabs.com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>

_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: ark_at_eltex.net: "Re: [fw-wiz] Application Intelligent vs ALG"
• In reply to: Frederick M Avolio: "Re: [fw-wiz] Application Intelligent vs ALG"
• Next in thread: Tony Miedaner: "Re: [fw-wiz] Application Intelligent vs ALG"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]