Alg And Proxy Firewalls - Enterasys Security Router X-PeditionTM User Manual

and port numbers. These firewalls are scalable, easy to implement and widely deployed for simple
Network layer filtering, but they suffer the following disadvantages:
• Do not maintain states for an individual session nor track a session establishment protocol.
Ports are usually always open or blocked
• Do not examine application data
• Do not work well with applications which open secondary data channels using embedded
port information in the protocol - "difficult protocols" such as FTP and H.323 (video
conferencing applications)
• Cannot detect protocol-level problems and attacks
• Less secure than stateful inspection or proxy firewalls

ALG and Proxy Firewalls

ALG or proxy firewalls filter packets at the top of the stack - Layer 5. They:
• Act as an agent (proxy) between IP client and server transactions. A proxy server often runs
on dedicated, hardened operating systems with limited functionality, offering less of a chance
to be compromised.
• Filter bad packets and bad contents to protect internal hosts incapable of protecting
themselves against these attacks:
– Bad packets (too long or too short)
– Un-recognized commands (possible attack)
– Legal but undesirable commands/operations (as set by policy)
– Objectionable contents (content and URL filtering)
• Drop incoming/outgoing connections such as FTP, gopher, or Telnet applications at the proxy
firewall first.
• Create two connections, one from the client to the firewall, the other from the firewall to the
actual server. This generates a completely new packet which is sent to the actual server based
on its data "read" of the incoming packet and correct implementation of the application's
protocol. When the server replies, the proxy firewall again interprets and regenerates a new
packet to send to the client.
• Build another layer of protection between interior hosts and the external world forcing a
hacker to first break into the proxy server in order to launch attack on internal hosts.
But the above advantages of an application or proxy firewall are offset by the following
weaknesses:
• Higher overhead - because it is usually implemented at the Application layer, additional
processing is needed to transfer packets between the kernel and the proxy application.
• Non-scalability - support for a new protocol or a new feature of an existing protocol often lags
by months or years.
• Non-transparency - proxy server users may discover the server bars an application, forcing
users to find alternatives.
Firewall Feature Set Overview
XSR User's Guide 16-11