Saturday, 17 November 2012

Security Policies - ALGs

Application Layer Gateways (ALG) are modules that are application aware. As they are application aware they can read into applications and permit dynamic access via security policy, perform NAT functions or set and enforce application specific parameters. ALGs are triggered by a application configured in a security policy.



Global ALG Configuration
ALGs can be enabled and disabled globally. The command 'set security alg ftp disable' for example disables the FTP ALG globally. Disabling the ALG globally disables all ALG functions related to that ALG, even if an ALG is configured for an application and that application is configured in a security policy. The screenshot below outlines this command.

The command 'show security alg status' will display the global ALG status and confirm if the ALG is enabled or disabled.

Other parameters can be configured globally under the respective ALG. See the cheat sheet below for configurable options for various ALGs.



Enable ALG on a Application
In the previous post Security Policies - Advanced Policy Options custom and pre-defined applications were reviewed. In this post we also review the method to configure parameters for these applications. One of these configurable parameters is 'application-protocol'. This statement is the logic for connecting a ALG to an application. Once this is done this application could be used in a security policy and the ALG would process traffic matching this application. The screenshot below outlines this statement using the ftp application.

Multiple applications can have the same ALG defined under 'application-protocol' and this is very common with RPC applications.


ALG Cheat Sheet

ALG Name
DNS
Application Details
Domain Name System (DNS) is a protocol to resolve hostnames to IP addresses.
What does the ALG do?
Monitors DNS response and will close session as soon as DNS response is detected.
Checks message length and will drop if exceeded
Will perform NAT translation of records when using static NAT.
Configurable Options
Doctoring: can enable/disable DNS doctoring and sanity checks
Max-message-length: set a message length in bytes (512-8192)

ALG Name
FTP
Application Details
File Transfer Protocol (FTP) is a protocol used to transfer files/data between hosts.
What does the ALG do?
Monitors PORT, PASV and 227 commands.
Performs NAT on the IP, PORT or both in the message
Opens gates to allow data stream.
Configurable Options
Ftps-extentions: enable SFTP and FTPS(SSL) protocol support
Line-break-extensions: enable line termination

ALG Name
H323
Application Details
H.323 is a protocol that provides A/V call signalling, call control and media transport.
What does the ALG do?
Allows you to secure VoIP communication between hosts and multimedia devices.
Configurable Options
Application Screen: Allows thresholds to be configured and unknown message types to be allowed/blocked.
Dscp-rewrite: set dscp codepoint (6bit DSCP Codepoint).
Endpoint-registration-timeout: sets timeout of end point registration
Media-source-port-any: allows media from any source port on the host.

ALG Name
MGCP
Application Details
Media Gateway Control Protocol (MGCP) is a master/slave call control protocol.
What does the ALG do?
Monitors VoIP and Signalling payload for malformed packets and proper communication according to RFCs
Provides stateful inspection related to the protocol.
Performs NAT on any imbedded IP address and port information in the payload.
Allows/Pinholes VoIP traffic based on information in the payload.
Configurable Options
Inactive-media-timeout: sets the maximum amount of time a call can remain ‘open’ without media traffic (RTP).
Maximum-call duration: sets the maximum amount of time a call can last. Once exceeded the session will be removed.

ALG Name
MSRPC
Application Details
Microsoft Remote Procedure Call (MSRPC) is the Microsoft version of Distributed Computing Environment / Remote Procedure Call (DCE/RPC) system. This system allows programmers to write distributed software as if it were on the same system without having to work about the underlying network.
What does the ALG do?
Monitors traffic on TCP port 135.
Allows access based on dynamic transport address negotiation.
Can define a security policy to allow/deny specific RPC requests based on Universally Unique Identifier (UUID) number.
Configurable Options
None.
(Note: custom MS-RPC applications can be defined and placed in security policies this can be done differently based on code versions. Here is a good KB article. http://kb.juniper.net/InfoCenter/index?page=content&id=KB23730&actp=RSS)

ALG Name
PPTP
Application Details
Point to Point Tunneling Protocol (PPTP) is a protocol for tunneling layer2 over layer3 networks.
What does the ALG do?
Monitors PPTP traffic and performs NAT and security policy pin-holing as needed.
Configurable Options
None.

ALG Name
REAL
Application Details
Real Audio is a proprietary audio format developed by Real networks. It is not as popular as it once was. The protocol uses different control and data channels.
What does the ALG do?
Monitors REAL audio traffic and performs NAT and security policy pin-holing as needed for the data channels.
Configurable Options
None.

ALG Name
RSH
Application Details
Remote Shell (RSH) is a command line computer program that can execute shell commands as different users or on different computer systems. This protocol has mostly been replaced by SSH.
What does the ALG do?
Monitors TCP packets on TCP port 514 and performs NAT and security policy pin-holing as needed.
Configurable Options
None.

ALG Name
RTSP
Application Details
Real Time Streaming Protocol (RTSP) is a protocol to control and manage streaming servers.
What does the ALG do?
Monitors TCP packets on TCP port 80 and performs NAT and security policy pin-holing as needed.
Configurable Options
None.

ALG Name
SCCP
Application Details
Skinny Call Control Protocol (SCCP) is a proprietary Cisco protocol for call signalling.
What does the ALG do?
Allows you to protect against application DoS using application screens.
Provides stateful application layer inspection.
Monitors control channel and performs NAT and security policy pin-holing as needed.
Configurable Options
Application Screen: Allows thresholds to be configured and unknown message types to be allowed/blocked.
Dscp-rewrite: set dscp codepoint (6bit DSCP Codepoint).
Inactive-media-timeout: set inactive media timeout in seconds (10-600)

ALG Name
SIP
Application Details
Session Initiation Protocol (SIP) is an IETF defined signalling protocol for voice and video over IP.
What does the ALG do?
Allows you to protect against application DoS using application screens.
Provides stateful application layer inspection.
Monitors control channel and performs NAT and security policy pin-holing as needed.
Configurable Options
Application Screen: Allows thresholds to be configured and unknown message types to be allowed/blocked.
c-timeout
Dscp-rewrite: set dscp codepoint (6bit DSCP Codepoint).
Inactive-media-timeout: set inactive media timeout in seconds (10-2550)
Maximum-call-duration: set max call duration in minutes (3-7200)
Retain-hold-resource: enable retention of SDP resources during a call hold.
T1-interval: set interval in milliseconds (500-5000)
T4-interval: set interval in seconds (5-10)

ALG Name
SQL
Application Details
Structured Query Language (SQL) is a programming language for managing data in relational databases.
What does the ALG do?
Processes SQL TNS response frames from the server and parses the Host IP address and Port. This is used to perform NAT and policy pin-holing on the client side for the data channel.
Configurable Options
None.

ALG Name
SUNRPC
Application Details
SUN Remote Procedure Call (SUNRPC) is a Distributed Computing Environment / Remote Procedure Call (DCE/RPC) system. This system allows programmers to write distributed software as if it were on the same system without having to work about the underlying network.
What does the ALG do?
Monitors traffic on TCP port 111.
Allows access based on dynamic transport address negotiation.
Can define a security policy to allow/deny specific RPC requests.
Configurable Options
None.
(Note: custom MS-RPC applications can be defined and placed in security policies this can be done differently based on code versions. Here is a good KB article. http://kb.juniper.net/InfoCenter/index?page=content&id=KB23730&actp=RSS)

ALG Name
TALK
Application Details
TALK is a Unix text chat program.
What does the ALG do?
Processes ntalk and talkd communication. This is used to perform NAT and policy pin-holing.
Configurable Options
None.

ALG Name
TFTP
Application Details
Trivial File Transfer Protocol (TFTP) is a simple protocol used for file transfers, it contains no authentication.
What does the ALG do?
Processes TFTP packets that initiate requests and will pin-hole access in the security policy for the return data traffic.
Configurable Options
None.



Conclusions
Please feel free to leave comments if any important aspects are missing from the ALG Cheat Sheet. The next post will focus on Security Policy Authorization.


No comments:

Post a Comment