Application layer gateways, Overview, Section 6.2, “application layer gateways”) – D-Link DFL-2500 User Manual

6.2. Application Layer Gateways

6.2.1. Overview

To complement low-level packet filtering, which only inspects packet headers in protocols such IP,
TCP, UDP, and ICMP, D-Link Firewalls provide Application Layer Gateways (ALGs) which
provide filtering at the higher application OSI level.

An ALG object acts as a mediator in accessing commonly used Internet applications outside the
protected network, for example web access, file transfer and multimedia transfer. ALGs provide
higher security than packet filtering since they are capable of scrutinizing all traffic for a specific
protocol and perform checks at the higher levels of the TCP/IP stack.

The following protocols are supported by NetDefendOS ALGs:

•

HTTP

•

FTP

•

TFTP

•

SMTP

•

POP3

•

SIP

•

H.323

Deploying an ALG

Once an ALG is defined by the administrator, it is brought into use by first associating it with a
Service object and then associating that Service with an IP rule in the NetDefendOS IP rule set.

Maximum Connection Sessions

The Service associated with an ALG has a configurable parameter associated with it called Max
Sessions and the default value varies according to the type of ALG. For instance, the default value
for the HTTP ALG is 1000. This means that a 1000 connections are allowed in total for the HTTP
Service across all interfaces. The full list of default maximum session values are:

•

HTTP ALG - 1000 sessions.

•

FTP ALG - 200 sessions.

•

TFTP ALG - 200 sessions.

•

SMTP ALG - 200 sessions.

•

POP3 ALG - 200 sessions.

•

H.323 ALG - 100 sessions.

Note

This default value can often be too low for HTTP if there are large number of clients
connecting through the D-Link Firewall and it is therefore recommended to consider
using a higher value.

6.2. Application Layer Gateways

Chapter 6. Security Mechanisms

138