Application-level gateway

In the context of computer networking, an application-level gateway [RFC 2663 - ALG: official definition (refer section 2.9)] (also known as ALG or application layer gateway) consists of a security component that augments a firewall or NAT employed in a computer network. It allows customized NAT traversal filters to be plugged into the gateway to support address and port translation for certain application layer "control/data" protocols such as FTP, BitTorrent, SIP, RTSP, file transfer in IM applications etc. In order for these protocols to work through NAT or a firewall, either the application has to know about an address/port number combination that allows incoming packets, or the NAT has to monitor the control traffic and open up port mappings ("firewall pinhole") dynamically as required. Legitimate application data can thus be passed through the security checks of the firewall or NAT that would have otherwise restricted the traffic for not meeting its limited filter criteria.

An ALG may offer the following functions:

* allowing client applications to use dynamic ephemeral TCP/ UDP ports to communicate with the known ports used by the server applications, even though a firewall-configuration may allow only a limited number of known ports. In the absence of an ALG, either the ports would get blocked or the network administrator would need to explicitly open up a large number of ports in the firewall — rendering the network vulnerable to attacks on those ports.
* converting the network layer address information found inside an application payload between the addresses acceptable by the hosts on either side of the firewall/NAT. This aspect introduces the term 'gateway' for an ALG.
* recognizing application-specific commands and offering granular security controls over them
* synchronizing between multiple streams/sessions of data between two hosts exchanging data. For example, an FTP application may use separate connections for passing control commands and for exchanging data between the client and a remote server. During large file transfers, the control connection may remain idle. An ALG can prevent the control connection getting timed out by network devices before the lengthy file transfer completes. [" [http://www.ncftp.com/ncftpd/doc/misc/ftp_and_firewalls.html The File Transfer Protocol (FTP) and Your Firewall ] / Network Address Translation (NAT) Router / Load-Balancing Router."]

Deep packet-inspection of all the packets handled by ALGs over a given network makes this functionality possible. An ALG understands the protocol used by the specific applications that it supports.

For instance, Session Initiation Protocol (SIP) Back-to-Back User agent (B2BUA). An ALG can allow firewall traversal with SIP. If the firewall has its SIP traffic terminated on an ALG then the responsibility for permitting SIP sessions passes to the ALG instead of the firewall. An ALG can solve another major SIP headache: NAT traversal. Basically a NAT with inbuilt ALG can re-write information within the SIP messages and can hold address-bindings until the session terminates. [ [http://sitsotd.org/ SIP gateway] built with libipt/iptables]

An ALG is very similar to a proxy server, as it sits between the client and real server, facilitating the exchange. There seems to be an industry convention that an ALG does its job without the application being configured to use it, by intercepting the messages. A proxy, on the other hand, usually needs to be configured in the client application. The client is then explicitly aware of the proxy and connects to it, rather than the real server.

ALG service in Microsoft Windows

The "Application Layer Gateway" service in Microsoft Windows provides support for third-party plugins that allow network protocols to pass through the Windows Firewall and work behind it and Internet Connection Sharing. ALG plugins can open ports and change data that is embedded in packets, such as ports and IP addresses. Windows Server 2003 also includes an ALG FTP plugin. The ALG FTP plugin is designed to support active FTP sessions through the NAT engine in Windows. To do this, the ALG FTP plugin redirects all traffic that passes through the NAT and that is destined for port 21 (FTP control port) to a private listening port in the 3000-5000 range on the Microsoft "loopback adapter". The ALG FTP plugin then monitors/updates traffic on the FTP control channel so that the FTP plugin can plumb port mappings through the NAT for the FTP data channels. The FTP plugin will also update ports in the FTP control channel stream.

ee also

* Session Border Controller
* Proxy server

References


Wikimedia Foundation. 2010.

Look at other dictionaries:

  • Application Level Gateway — Eine Web Application Firewall (WAF) ist eine Technologie, die Web Anwendungen vor Angriffen über das HTTP Protokoll schützen soll. Teilweise wird diese Technologie auch als Web Shield, Application Level Gateway (ALG) oder Application Level… …   Deutsch Wikipedia

  • Application-level gateway — Applications level gateway, или ALG (англ. «шлюз прикладного уровня»)  компонент NAT маршрутизатора, который понимает какой либо прикладной протокол, и при прохождении через него пакетов этого протокола модифицирует их таким образом,… …   Википедия

  • Application Layer Gateway — Das Application Layer Gateway (auch bekannt unter den Namen ALG oder Application Level Gateway) stellt eine Sicherheitskomponente in einem Computernetzwerk dar. Bei der Übertragung von Daten in einem Netzwerk verwenden einige Protokolle wie… …   Deutsch Wikipedia

  • Application Level Firewall — Eine Web Application Firewall (WAF) ist eine Technologie, die Web Anwendungen vor Angriffen über das HTTP Protokoll schützen soll. Teilweise wird diese Technologie auch als Web Shield, Application Level Gateway (ALG) oder Application Level… …   Deutsch Wikipedia

  • Circuit-level gateway — A circuit level gateway is a type of firewall. Circuit level gateways work at the session layer of the OSI model, or as a shim layer between the application layer and the transport layer of the TCP/IP stack. They monitor TCP handshaking between… …   Wikipedia

  • Circuit-Level Gateway — A circuit level gateway is a type of firewall.Circuit level gateways work at the session layer of the OSI model, or as a shim layer between the application layer and the transport layer of the TCP/IP stack. They monitor TCP handshaking between… …   Wikipedia

  • Application Gateway — Eine externe (Netzwerk oder Hardware ) Firewall (von engl. firewall [ˈfaɪəwɔːl] „die Brandwand“) stellt eine kontrollierte Verbindung zwischen zwei Netzen her. Das könnten z. B. ein privates Netz (LAN) und das Internet (WAN) sein; möglich ist… …   Deutsch Wikipedia

  • Application firewall — An application firewall is a form of firewall which controls input, output, and/or access from, to, or by an application or service. It operates by monitoring and potentially blocking the input, output, or system service calls which do not meet… …   Wikipedia

  • Gateway Project — The Gateway Project shown in red would parallel the current right of way The Gateway Project is a proposed American rail expansion project to build a high speed rail right of way and to alleviate the bottleneck along the Northeast Corridor (NEC)… …   Wikipedia

  • Gateway Plus — The Gateway Plus (previously known as Birmingham Gateway) project is a redevelopment scheme to regenerate Birmingham New Street Station and the Pallasades Shopping Centre above it in Birmingham, England. The project aims to enhance the station to …   Wikipedia


Share the article and excerpts

Direct link
Do a right-click on the link above
and select “Copy Link”

We are using cookies for the best presentation of our site. Continuing to use this site, you agree with this.