Tuesday, 4 March 2014

JUNOS : New Features - ALG Overview

An Application Layer Gateway (ALG) is a software component that is designed to manage specific protocols such as Session Initiation Protocol (SIP) or FTP on Juniper Networks devices running JUNOS Software. The ALG module is responsible for Application-Layer aware packet processing.
ALG functionality can be triggered either by a service or application configured in the security policy:
  • A service is an object that identifies an application protocol using Layer 4 information (such as standard and accepted TCP and UDP port numbers) for an application service (such as Telnet, FTP, SMTP, and HTTP).
  • An application specifies the Layer 7 application that maps to a Layer 4 service.
A predefined service already has a mapping to a Layer 7 application. However, for custom services, you must link the service to an application explicitly, especially if you want the policy to apply an ALG.
ALGs for packets destined to well-known ports are triggered by service type. The ALG intercepts and analyzes the specified traffic, allocates resources, and defines dynamic policies to permit the traffic to pass securely through the device:
  1. When a packet arrives at the device, the flow module forwards the packet according to the security rule set in the policy.
  2. If a policy is found to permit the packet, the associated service type or application type is assigned and a session is created for this type of traffic.
  3. If a session is found for the packet, no policy rule match is needed. The ALG module is triggered if that particular service or application type requires the supported ALG processing.
The ALG also inspects the packet for embedded IP address and port information in the packet payload, and performs Network Address Translation (NAT) processing if necessary. The ALG also opens a gate for the IP address and port number to permit data exchange for the session. The control session and data session can be coupled to have the same timeout value, or they can be independent.

No comments:

Post a Comment

loading...