Application level Gateway, as the name suggests, operates in the Application layer of the OSI model and actively inspects the contents of packets that are passed through to the gateway. Let’s go ahead into the details of its functioning to understand this technology better.
Architecture and Principle workings
An application-level gateway acts as a intermediate system between the Internet and the application server that understands the relevant application protocol. This application-level gateway’s system appears to the outside world as the end point application server, but in reality, the gateway interprets each incoming request, reduces the request to the application server’s own internal lexicon, then builds a new request from scratch discards and prevents any malicious, malformed content from getting through. The gateway then sends a new request to the actual application server and processes the servers reply in the same fashion.
An application-level gateway intercepts the incoming and outgoing packets, runs a proxy to copy and forward information across the gateway, and functions as a proxy server, thereby preventing any direct connection between a trusted server or client and an untrusted host.
Functions of an ALG can be defined as:
- Allow client applications to use dynamic TCP/ UDP ports to communicate with the known ports used by the server applications, even though a firewall configuration may allow only a limited number of known ports. In the absence of an ALG, either the ports would get blocked or the network administrator would need to explicitly open up a large number of ports in the firewall – rendering the network vulnerable to attacks on those ports.
- Convert the network layer address information found inside an application payload between the addresses acceptable by the hosts on either side of the firewall/NAT.
- Recognize application-specific commands and offering granular security controls over them
- Synchronise between multiple streams/sessions of data between two hosts exchanging data.
- Deep packet-inspection of all the packets over a given network
Two types of Proxies used by application-level gateways are:
- Application-specific Proxies
- Application-level Filtering
Application-specific Proxies. Application-specific proxies accept only packets that are generated by services they are designed to copy, forward, and filter. There is a drawback here that is if a network relies only on an application-level gateway, incoming and outgoing packets cannot access services for which there is not a proxy. For example, if an application-level gateway runs a Telnet proxy, only packets generated by this service could pass through the firewall. All other services would be blocked.
Application-level Filtering. An application-level gateway runs proxies that examines and filters individual packets. This is achieved by checking each packet that passes through the gateway, verifying the contents of the packet up through the application layer of the OSI model. These proxies can filter particular kinds of commands or information in the application protocols the proxies are designed to copy, forward, and filter.
Fig. An application-level gateway runs a proxy for each application the firewall must support, ensuring that no direct contact occurs between a trusted client and an untrusted host. (Ref: www.Novell.com )
Translation between IPv4 and IPv6 nodes
Application level Gateways are used as one of the translation technology to connect the host node between IPv4 and IPv6.This is achieved by connecting IPv4 with the host node of IPv6 in higher level protocols for the specialized application process in the gateway program.
Lets take into account the FTP communication, here the IP address and port number informations of the transport layer of a data session in the payload of a control session is conveyed. The translator analyzes the data format of a payload and prepares an ALG that converts the IP address and port number information for all the protocols.
Limitations of Application level Gateways
- An application-level gateway does have drawbacks which limits its functionality, they are:
- Delay due to the amount of time it can take to inspect packets.
- Many applications are not designed for ALGs e.g Email , Web
- Speed and Routing issues
- Application level gateways does not serve as a good choice ,if the application protocol embed IP addressing