Application-level gateway
An application-level gateway (ALG, also known as application layer gateway, application gateway, application proxy, or application-level proxy) is a security component that augments a
Functions
An ALG may offer the following functions:
- allowing client applications to use dynamic ephemeral TCP/UDP ports to communicate with the known ports used by the server applications, even though a firewall configuration may allow only a limited number of known ports. In the absence of an ALG, either the ports would get blocked or the network administrator would need to explicitly open up a large number of ports in the firewall — rendering the network vulnerable to attacks on those ports.
- converting the 'gateway'for an ALG.
- recognizing application-specific commands and offering granular security controls over them
- synchronizing between multiple streams/sessions of data between two hosts exchanging data. For example, an FTP application may use separate connections for passing control commands and for exchanging data between the client and a remote server. During large file transfers, the control connection may remain idle. An ALG can prevent the control connection getting timed out by network devices before the lengthy file transfer completes.[3]
Deep packet inspection of all the packets handled by ALGs over a given network makes this functionality possible. An ALG understands the protocol used by the specific applications that it supports.
For instance, for
It is common for SIP ALG on some equipment to interfere with other technologies that try to solve the same problem, and various providers recommend turning it off.[4][5][6]
An ALG is very similar to a proxy server, as it sits between the client and real server, facilitating the exchange. There seems to be an industry convention that an ALG does its job without the application being configured to use it, by intercepting the messages. A proxy, on the other hand, usually needs to be configured in the client application. The client is then explicitly aware of the proxy and connects to it, rather than the real server.
Microsoft Windows
The Application Layer Gateway
Linux
The Linux kernel's Netfilter framework, which implements NAT in Linux, has features and modules for several NAT ALGs:
See also
References
- ^ RFC 2663, section 2.9 - ALG: official definition
- ^ "What is Application Gateway?". 26 June 2001.
- ^ The File Transfer Protocol (FTP) and Your Firewall / Network Address Translation (NAT) Router / Load-Balancing Router.
- ^ "Why is SIP ALG an Issue?".
- ^ "What is SIP ALG and should it be on or off?".
- ^ "SIP ALG and why it should be disabled on most routers | VoiceHost - UK VoIP Provider".