Wednesday, October 20, 2010

ALG - Application Level Gateway

An Application Layer Gateway (ALG) is a software component that is designed to manage specific protocols such as Session Initiation Protocol (SIP) or File Transfer Protocol (FTP)
The ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to permit the traffic to pass securely through the ALG.



Application level Gateway, as the name suggests, operates in the Application layer of the OSI model and actively inspects the contents of packets that are passed through to the gateway. Let's go ahead into the details of its functioning to understand this technology better.

The Application Level Gateway acts as a proxy for applications, performing all data exchanges with the remote system in their behalf. This can render a computer behind the firewall all but invisible to the remote system.

It can allow or disallow traffic according to very specific rules, for instance permitting some commands to a server but not others, limiting file access to certain types, varying rules according to authenticated users and so forth. This type of firewall may also perform very detailed logging of traffic and monitoring of events on the host system, and can often be instructed to sound alarms or notify an operator under defined conditions.

Application-level gateways are generally regarded as the most secure type of firewall. They certainly have the most sophisticated capabilities.

A disadvantage is that setup may be very complex, requiring detailed attention to the individual applications that use the gateway.


An application-level gateway acts as a intermediate system between the Internet and the application server that understands the relevant application protocol. This application-level gateway's system appears to the outside world as the end point application server, but in reality, the gateway interprets each incoming request, reduces the request to the application server's own internal lexicon, then builds a new request from scratch discards and prevents any malicious, malformed content from getting through. The gateway then sends a new request to the actual application server and processes the servers reply in the same fashion.


An application-level gateway intercepts the incoming and outgoing packets, runs a proxy to copy and forward information across the gateway, and functions as a proxy server, thereby preventing any direct connection between a trusted server or client and an untrusted host.

Functions of an ALG can be defined as:

  • Allow client applications to use dynamic TCP/ UDP ports to communicate with the known ports used by the server applications, even though a firewall configuration may allow only a limited number of known ports. In the absence of an ALG, either the ports would get blocked or the network administrator would need to explicitly open up a large number of ports in the firewall - rendering the network vulnerable to attacks on those ports.
  • Convert the network layer address information found inside an application payload between the addresses acceptable by the hosts on either side of the firewall/NAT.
  • Recognize application-specific commands and offering granular security controls over them
  • Synchronize between multiple streams/sessions of data between two hosts exchanging data.
  • Deep packet-inspection of all the packets over a given network

  • Two types of Proxies used by application-level gateways are:
  • Application-specific Proxies

  • Application-level Filtering

    Application-specific Proxies. Application-specific proxies accept only packets that are generated by services they are designed to copy, forward, and filter. There is a drawback here that is if a network relies only on an application-level gateway, incoming and outgoing packets cannot access services for which there is not a proxy. For example, if an application-level gateway runs a Telnet proxy, only packets generated by this service could pass through the firewall. All other services would be blocked.

    Application-level Filtering. An application-level gateway runs proxies that examines and filters individual packets. This is achieved by checking each packet that passes through the gateway, verifying the contents of the packet up through the application layer of the OSI model. These proxies can filter particular kinds of commands or information in the application protocols the proxies are designed to copy, forward, and filter.
  • No comments: