Tuesday, April 15, 2008

ALGs - Firewall/NAT Travrersal Control and PortMap and TR-069 support

Firewall/NAT Traversal Control:
Application Layer Gateway modules (ALGs) in firewall and NAT devices interpret the protocol data, transform IP addresses based on NAT configuration and open pinholes in firewall to allow new connections. For example, FTP ALG function is expected to interpret 'PORT', 'EPRT' and 'PASV reply' messages, modify IP addresses if required and open the pin holes to allow FTP data connections. Many protocols require this kind of ALG functions for firewall and NAT traversal. Some of the protocols requiring ALGs : SIP, H.323, MGCP, some gaming applications, NetBIOS, SUNRPC, MSRPC, L2TP, PPTP, IPsec VPN etc..

Newer versions of protocols are designed such a way that they traverse through firewall/NAT devices even if they don't support ALGs. For example, SIP has some extensions where there is no need for ALG function in firewalls between SIP UA and SIP proxy. IPsec VPN working group added NAT-T extensions to IKE and IPsec and it does not require any ALG function in firewall and NAT devices between IPsec peers. But, they introduced newer problems. Some of these NAT-T extensions in newer versions of protocols don't work well with firewall/NAT devices which support ALG function already. Hence, it is required that firewall/NAT devices provide ability for administrators to control the ALG function for different protocols. One simple control that is expected at the minimum is boolean control ie. Enable/Disable. Ideal control of configuration would take end point IP addresses into consideration. Imagine cases where some end points support new NAT-T extensions and some not. But, for this discussion, I am taking simpler configuration i.e ALG function enable/disable for each protocol.

ALG port map:

Yet times, companies install server application on non-standard ports. Though 5060 is standardized for SIP, yet times, SIP servers are run on non-standard ports. In these cases, the ALG functions in the firewall that is protecting these SIP servers should know about these ports for its operation. Port map record functionality of firewall/NAT devices facilitates the administrators to feed this information. For example, if SIP server is run on port 5061, administrator can create a port map record with Port 5061 and map it to SIP ALG function.

Both of above functionalities and their configuration require definition of ALG names. I propose following names for ALGs.

"ftp", "tftp", "oracleDbNet", "sunRpc", "msRpc", "udpDns", "tcpDns", "netbios", "udpSip", "tcpSip", "h323", h323GateKeeper", "rtsp", "udpNet2Phone", "tcpNet2Phone", "mgcpCallAgent", "mgcpGW", "msnIM", " microsoftILS", "aolIM", "irc", "pptp", "l2tp", "ikev1", "mszone", "quake", "udpMicrosftGames", "tcpMicrosoftGames'.

TR-069 representation of above configuration:

  • internetGatewayDevice.security.VirtualInstance.{i}.ALGTraversalControl.{i} P : New entries can't be added by ACS. ACS can only change the 'featureControl' parameter.
    • name : String(32), Read Only - Name of the ALG. It takes one of values mentioned above.
    • featureControl: Boolean, RW - Take 1 (Enable) or 0 (Disable). Default value is 1.
  • internetGatewayDevice.security.VirtualInstance.{i}.ALGPortMap.{i} PC
    • name: String(32), RW - Name of the port map record. Once the record is created, it can't be changed.
    • description: String(128), RW - Description of the record. Optional parameter.
    • algName: String(32) RW, Mandatory parameter- Name of the ALG function. It must be one of the values mentioned above.
    • mappingProtocol: String(4), RW, Mandatory parameter - Protocol value. Either "tcp" or "udp".
    • mappingPort: String(8), RW, Mandatory parameter - Port number.

No comments: