NetScreen ALGs are different from many competitors’ products. This is similar to the SYN proxy feature used by the TCP flood SCREEN setting. It achieves this by essentially proxying the connection at the TCP layer. The firewall cannot inject these extra bytes of data without modifying the TCP checksum as well as the TCP sequence numbers. Since port commands are passed as ASCII text, including the IP address, the chances are high that the number of characters that represent the inside IP and the external IP won't exactly match (for example, an inside address of 192.168.1.5 contains 11 characters, which may be translated to something like 123.123.123.123 at 15 characters, or something like 1.2.3.4, which contains only 7). The ALG handles this at the application layer by modifying the ASCII port command insitu, replacing the inside IP with the IP of the NAT interface. The FTP port commands use whatever IP the endpoint hosts’ interfaces are configured for, which, in the case of a host behind a NAT firewall, will typically be unreachable from the Internet. In this circumstance, the endpoints don't always realize their addresses are being translated midstream. The FTP ALG also handles the special case where the FTP session flows through a NAT interface. Once the session is complete, the gate is immediately closed. The FTP ALG automatically solves this problem by monitoring the FTP command channel, looking for FTP port commands that specify which source and destination ports are being requested, and dynamically opening up that specific combination of source IP/port and destination IP/port firewall policy (called a gate) that permits the session to flow.
Since these data channels could connect on any port, it's almost impossible to create a static firewall policy that would permit these data channels and yet still provide adequate protection. Often, these data channels will flow in a direction opposite that of the original command channel. Many such protocols were designed without security or other access controls in mind, which can cause problems when firewalls are introduced.įor example, FTP uses multiple sessions to facilitate file transfers-a primary command channel, and secondary data channels for directory listings and file transfers. Ralph Bonnell, in Configuring Juniper Networks NetScreen & SSG Firewalls, 2007 Understanding Application Layer GatewaysĪpplication Layer Gateways are algorithms within ScreenOS that handle dynamic firewall policies that certain protocols require, such as FTP.
0 kommentar(er)
