ALG Technology White Paper

ALG Technology White Paper

Key words: ALG, NAT, ASPF, session Abstract: ALG works together with other technologies such as NAT and ASPF to inspect and process application layer protocol packets. This technology white paper describes the work mechanism and typical applications of ALG. Acronyms:
Acronym ALG ASPF DNS FTP ILS LDAP NAT NBT RTSP SIP Application Level Gateway Application Specific Packet Filter Domain Name System File Transfer Protocol Internet Locator Service Lightweight Directory Access Protocol Network Address Translation NetBIOS (network basic input/output system) over TCP/IP Real-Time Streaming Protocol Session Initiation Protocol Full spelling
Hangzhou H3C Technologies Co., Ltd.
www.h3c.com
1/12
Table of Contents
1 Overview......................................................................................................................................... 3 1.1 Background.......................................................................................................................... 3 1.2 Benefits ................................................................................................................................ 3 2 ALG Implementation....................................................................................................................... 4 2.1 Concepts.............................................................................................................................. 4 2.2 ALG Mechanism .................................................................................................................. 4 2.2.1 Payload Address Translation .................................................................................... 4 2.2.2 Dynamic Channel Detection...................................................................................... 8 2.2.3 Stateful Application Layer Inspection ...................................................................... 10 2.3 Restrictions ........................................................................................................................ 12 3 Application Scenario..................................................................................................................... 12 3.1.1 ALG for FTP Network Application ........................................................................... 12
www.h3c.com
2/12
1 Overview
1.1 Background
Many application layer protocols such as FTP and SQLNET, and multimedia protocols such as H.232 and SIP, use multiple channels for data transmission. Through a control channel, such a protocol negotiates the addresses and port numbers for data channels, and then establishes multiple data channels based on the results. In NAT application scenarios, NAT identifies and translates only the IP addresses in the headers of network layer packets, but not the address information carried in the packet payload. If NAT works together with ALG, they can analyze the contents of multichannel application layer protocol packets and perform address translation to ensure correct communications at the application layer. Similar problems exist in traditional packet filtering firewalls. A packet filtering firewall denies or allows a packet to pass based on the packet's source address, destination address, source port, and destination port. Although the firewall can permit or deny specific application layer services through static IP header-based matching, it cannot understand the context of services. In addition, the data channels of multichannel application layer protocols require dynamic negotiation, so that the firewall cannot acquire the IP addresses and port numbers of data channels in advance and thus cannot deliver rational security policies. ASPF employing ALG can solve such problems, and achieve dynamic detection on multichannel application layer protocols. To sum up, ALG working together with NAT and ASPF can solve the multichannel problems of application layer protocols, and help network devices implement integrated network security solutions.
1.2 Benefits
ALG working together with NAT and ASPF provides application-based access control for communications between the internal network and the external network, and has the following merits:
www.h3c.com
3/12
ALG resolves application layer protocol packets to avoid repeated resolution performed by NAT or ASPF and improve the packet-forwarding rate. ALG delivers stateful filtering based on the application layer protocols. ALG listens to the ports used by each session of each application, opens a proper channel for the data of the session to pass through the firewall, and closes the channel when the session ends. Thus, ALG achieves effective access control for applications that use the ephemeral ports. ALG supports multiple application layer protocols including DNS, FTP, H.232 (RAS, H.225, and H.245), HTTP, ICMP, ILS, MSN, QQ, NBT, RTSP, SIP, SQLNET, and TFTP.
2 ALG Implementation
2.1 Concepts
Session: Records the information carried in packets, including the source IP address, source port, destination IP address, destination port, protocol type, and VPN instance to which the source/destination IP address belongs. Packets that have the same session information belong to the same traffic flow. Usually, a session corresponds to a forward flow and a reverse flow, while a flow corresponds to a session in one direction. Dynamic channel: The address information carried by a packet of an application layer protocol can be used to establish a dynamic channel, and subsequent connections that match the address information will transmit data through the dynamic channel.
2.2 ALG Mechanism

ALG can work together with NAT to offer payload address translation, and work together with ASPF to offer dynamic channel detection and stateful application layer inspection. The following parts describe the above-mentioned ALG implementations.
2.2.1 Payload Address Translation

For a multichannel application layer protocol, the address information is carried in the
Hangzhou H3C Technologies Co., Ltd. www.h3c.com 4/12
IP packet payload. In a NAT network application, to ensure correct dynamic channels for subsequent packets, you need ALG to translate such address information, that is, to perform payload address translation. The following ALG applications for multichannel application layer protocols FTP, DNS, and ICMP show the detailed procedure of payload address translation.
1. ALG application for FTP

Private network Public network
IP network
Host
192. 168.0. 10
NAT ( 192 168.0.10<->50.10.10.10) .
FTP server
2.2.2.2
A control connection is established between Host and the FTP server. A PORT packet is sent. (Port 192.168.1.10, 1024)
ALG process
The PORT packet payload is translated. (Port 50.10.10.10, 5000) The FTP server initiates a connection to Host. (2.2.2.2:20->50.10.10.10: 5000)
ALG process
The FTP server initiates a connection to Host. (2.2.2.2:20->192.168.0.10:1024) Data is transmitted over the established connection.
Figure 1 ALG processes the FTP packet payload
As shown in Figure 1, the host on the private network wants to access the FTP server on the public network. The NAT device is configured with the mapping between private address 192.168.0.10 and public address 50.10.10.10. Therefore, NAT enables the host to access the public network. In this network application, if ALG does not process the packet payload, the FTP server cannot identify the private address in the payload of a PORT packet sent by the host. As a result, the FTP server cannot establish a correct data connection with the host. With ALG, the FTP connection is established as follows:
www.h3c.com
5/12
(1)
The host establishes a control connection to the FTP server after completing a three-way handshake.
(2)
The host sends a PORT packet to the FTP server over the control connection. The PORT packet specifies the destination address and port number to be used by the server to establish a data connection to the host.
(3)
When the PORT packet arrives at the NAT device enabled with ALG, the device translates the private address and port number in the payload into the corresponding public address and port number. That is, the NAT device translates private address 192.168.0.10 and port 1024 in the payload into public address 50.10.10.10 and port 5000.
(4)
After receiving the PORT packet, the FTP server uses the destination address 50.10.10.10 and port 5000 to initiate a connection to the host. Because the destination address is a public address, subsequent connections for data transmission can be established successfully. Therefore, the private host can access the public FTP server.
2. ALG application for DNS

WWW server
192. 168.0. 10
IP network
NAT ( 192. 168.0.10<->50.10.10.10)
DNS server
www. abc.com<- >50. 10. 10. 10
Host
DNS QUERY What is the IP address of www.abc.com? DNS ANSWER The IP address of www.abc.com is 50.10.10.10.
ALG process
DNS ANSWER The IP address of www.abc.com is 192.168.0.10.
Figure 2 ALG processing the DNS packet payload
As shown in Figure 2, a host wants to use the domain name to access a WWW server on the same private network through a public DNS server. The DNS entry for the WWW server contains domain name www.abc.com and public address 50.10.10.10.
www.h3c.com
6/12
(1) (2)
The host initiates a DNS query to the DNS server. The DNS server searches for a match and sends the result (the IP address of www.abc.com is 50.10.10.10) in a DNS response packet (DNS answer) to the public address of the host.
(3)
When the DNS response arrives at the NAT device enabled with ALG, the public address in the packet payload is mapped to the private address of the WWW server. That is, the NAT device replaces IP address 50.10.10.10 in the DNS packet payload with 192.168.0.10 and then sends the DNS response packet to the private host.
(4)
Using the private IP address contained in the response, the private host can access the private WWW server through the public DNS server.
3. ALG application for ICMP error packets

IP network
FTP server
192. 168.0. 10
NAT ( 192 168.0.10<->50.10.10.10) .
Host
2.2.2.2
Host initiates an FTP connection to 50.10.10.10. The destination address of the request packet is translated into 192.168.0.10. Port 21 of the FTP server is not open and sends a "port unreachable" ICMP error packet with 192.168.0.10 as the destination IP address in the packet payloads.
ALG process
The destination address in the ICMP packet payload is 50.10.10.10.
Figure 3 ALG processes the ICMP error packet payload
As shown in Figure 3, the host on the public network wants to access the FTP server on the private network. The public address of the FTP server is 50.10.10.10. If port 21 of the FTP server is not open, it sends an ICMP error packet to the host upon receiving the request. The IP address in the ICMP error packet payload is a private IP address. If the ICMP error packet is sent to the public network without being processed by ALG, the host on the public network cannot identify the application program that sends the error
packet. In addition, an unprocessed error packet reveals the private address of the FTP server to the public network. Therefore, when the ICMP error packet arrives at the NAT device, ALG translates private address 192.168.0.10 in the payload back to public address 50.10.10.10 according to the FTP address translation record and then sends the ICMP packet to the public network. Therefore, the host on the public network can correctly identify the faulty application program, and prevent private address leakage.
2.2.2 Dynamic Channel Detection

A multichannel protocol dynamically negotiates addresses and port numbers for data channels, In an ASPF networking environment, ALG works together with ASPF to determine which packets can pass by recording the dynamic channel addresses and ports. The following parts introduce the mechanism of dynamic channel detection in typical networking environments.
1. A private host accesses a public server

Host
Internet
FTP server Host establishes a connection to the FTP server. PORT (IP, Port)
ALG process: Records IP and Port
PORT (IP, Port) Packets whose destination address and port are IP and Port can pass. Packets with other destination addresses and ports are denied.
Figure 4 ALG allows packets on dynamic channels to pass through the firewall
As shown in Figure 4, the host on the private network wants to access the FTP server
on the public network. Generally, if ASPF is enabled on the firewall, the firewall will discard packets initiated from the public network to protect the private network. When dynamically negotiating a channel, the host sends a PORT packet to the FTP server. When the PORT packet arrives at the firewall, ALG records the IP address and port number in the packet (IP, Port) and regards them as the dynamic channel information for the FTP connection. Then, ASPF compares packets actively sent from the public network with the dynamic channel information, and allows only matching packets to pass through the firewall. Without ALG, the firewall will block data connections initiated by the FTP server, and thus the FTP server cannot establish dynamic FTP channels to the host. The preceding example shows that with both ASPF and ALG enabled, the firewall allows private hosts to access a public server, and meanwhile deny traffic not matching the recorded dynamic channel information.
2. End-to-end access between the private network and the public network
ALG processes QQ and MSN protocol packets in a slightly different way from processing FTP packets. After a private QQ or MSN client goes online, it may establish multiple connections to public hosts and public hosts may also initiate connections to the client. ALG can handle such connections.
Figure 5 ALG allows connections initiated from the public network
As shown in Figure 5, the QQ client on Host A sends an online request to the QQ server on the public network. ALG analyzes the request and establishes a dynamic
channel according to the client address information. After Host A goes online, the QQ packets sent from Host B to Host A can pass the firewall through the established dynamic channel. Other packets sent from Host B, or other unknown traffic will be discarded by the firewall. Thus, ALG protects the private network while ensuring the normal functions of applications.
2.2.3 Stateful Application Layer Inspection

In ASPF networking environments, ALG can track and inspect the application layer state. Each application program usually has a stable packet exchange procedure. If the exchange happens in a different way, there may be an attack. ALG analyzes and records the state information of application layer packets, records the session contexts, predicts subsequent packets, and discards packets that do not meet certain criteria. This is how ALG tracks the application layer state.
1. FTP state inspection

FTP server
Internet
Host Host A initiates a connection request to the FTP server. The USER command packet can pass. The FTP server requires Host to enter the password. The PASV command packet is discarded. The PORT command packet is discarded. The PASS command packet can pass. Other packets are discarded.
Figure 6 Mechanism of FTP state inspection
As shown in Figure 6, after a TCP connection is established between the public host and the private FTP server, the FTP server waits for the USER command sent from the host for user authentication. The USER command packet can pass the firewall. When the FTP server receives the USER command packet, the server requires the
www.h3c.com
10/12
user to enter the password. Then the host sends the PASS command packet to the server. If the host sends a PORT or PASV command packet or some other type of packet in stead, the packet will be discarded.
2. SIP application layer inspection
Figure 7 Mechanism of SIP state inspection
As shown in Figure 7, User agent 1 on the private network communicates with User agent 2 on the public network. After User agent 1 sends out an Invite request packet, the response packet (180 response packet) to this request can pass the firewall. Other types of packets, Register packets and Option packets for example, are discarded because they are not the normal response packets of the session.
www.h3c.com
11/12
2.3 Restrictions
The ALG technology is a security feature, and needs to work together with NAT or ASPF to deliver an integrated firewall security solution. ALG needs to resolve each application layer protocol separately, and therefore ALG must be extended to support a new application layer protocol.
3 Application Scenario
3.1.1 ALG for FTP Network Application
Figure 8 ALG for FTP network diagram
As shown in Figure 8, a firewall enabled with NAT, ASPF and ALG functions connects to the Internet. The FTP server on the private network offers FTP services. NAT works together with ALG to allow corporate users to access the Internet and allow hosts on the public network to access the FTP server. ASPF works together with ALG can discard unknown network traffic from the public network, and thus protect the private network.
Copyright 2008 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice.
www.h3c.com
12/12

ALG Technology White Paper

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

ALG Technology White Paper

Uploaded by

Copyright:

Available Formats

ALG Technology White Paper