Application-level gateway explained

An application-level gateway (ALG, also known as application-layer gateway, application gateway, application proxy, or application-level proxy) is a security component that augments a firewall or NAT employed in a mobile network.[1] [2] It allows customized NAT traversal filters to be plugged into the gateway to support address and port translation for certain application layer "control/data" protocols such as FTP, BitTorrent, SIP, RTSP, file transfer in IM applications. In order for these protocols to work through NAT or a firewall, either the application has to know about an address/port number combination that allows incoming packets, or the NAT has to monitor the control traffic and open up port mappings (firewall pinholes) dynamically as required. Legitimate application data can thus be passed through the security checks of the firewall or NAT that would have otherwise restricted the traffic for not meeting its limited filter criteria.

Functions

An ALG may offer the following functions:

Deep packet inspection of all the packets handled by ALGs over a given network makes this functionality possible. An ALG understands the protocol used by the specific applications that it supports.

For instance, for Session Initiation Protocol (SIP) Back-to-Back User agent (B2BUA), an ALG can allow firewall traversal with SIP. If the firewall has its SIP traffic terminated on an ALG then the responsibility for permitting SIP sessions passes to the ALG instead of the firewall. An ALG can solve another major SIP headache: NAT traversal. Basically a NAT with a built-in ALG can rewrite information within the SIP messages and can hold address bindings until the session terminates. A SIP ALG will also handle SDP in the body of SIP messages (which is used ubiquitously in VoIP to set up media endpoints), since SDP also contains literal IP addresses and ports that must be translated.

It is common for SIP ALG on some equipment to interfere with other technologies that try to solve the same problem, and various providers recommend turning it off.[4] [5] [6]

An ALG is very similar to a proxy server, as it sits between the client and real server, facilitating the exchange. There seems to be an industry convention that an ALG does its job without the application being configured to use it, by intercepting the messages. A proxy, on the other hand, usually needs to be configured in the client application. The client is then explicitly aware of the proxy and connects to it, rather than the real server.

Microsoft Windows

The Application Layer Gateway service in Microsoft Windows provides support for third-party plugins that allow network protocols to pass through the Windows Firewall and work behind it and Internet Connection Sharing. ALG plugins can open ports and change data that is embedded in packets, such as ports and IP addresses. Windows Server 2003 also includes an ALG FTP plugin. The ALG FTP plugin is designed to support active FTP sessions through the NAT engine in Windows. To do this, the ALG FTP plugin redirects all traffic that passes through the NAT and that is destined for port 21 (FTP control port) to a private listening port in the 3000–5000 range on the Microsoft loopback adapter. The ALG FTP plugin then monitors/updates traffic on the FTP control channel so that the FTP plugin can plumb port mappings through the NAT for the FTP data channels.

Linux

The Linux kernel's Netfilter framework, which implements NAT in Linux, has features and modules for several NAT ALGs:

See also

External links

Notes and References

  1. RFC 2663, section 2.9 - ALG: official definition
  2. Web site: What is Application Gateway?. 26 June 2001.
  3. The File Transfer Protocol (FTP) and Your Firewall / Network Address Translation (NAT) Router / Load-Balancing Router.
  4. Web site: Why is SIP ALG an Issue?.
  5. Web site: What is SIP ALG and should it be on or off? .
  6. Web site: SIP ALG and why it should be disabled on most routers | VoiceHost - UK VoIP Provider.