LOGBOOK

HELP

Quiz Entry - updated: 2026.07.14

What is an Application Layer Gateway (ALG / Proxy), and how does it differ from a stateful firewall?

An ALG (also called proxy / Stellvertreter) operates at OSI Layer 7 (Application) — it understands the application protocol (HTTP, FTP, SMTP, SIP) and can filter on application-specific content. The firewall acts as a middleman: there's no direct network connection between client and server.

Client→proxy connection terminated; proxy opens a separate connection to the server; it can filter at L7.

* An ALG terminates two separate connections and inspects Layer 7. *

The fundamental difference:

Stateful FW:       Client ────TCP────→ FW ────TCP────→ Server
                   (one TCP connection passing through)

ALG (Proxy):       Client ────TCP────→ Proxy ════TCP════→ Server
                   (TWO separate connections; FW is a participant)

The proxy terminates the client's connection, inspects the data, then opens its own connection to the server. From the server's view, the proxy is the client.

What ALGs can do (Vorteile):

Capability Why it works
Easier to configure than packet filters "Allow HTTP" rather than "allow TCP/80 from /any/ to /any/"
No direct connection Internet ↔ Intranet Attacker can't probe internal hosts directly
Immune to L3/L4 spoofing Attacker would need to compromise the application protocol itself
Application-specific filtering Block specific URLs, MIME types, SQL patterns
Generally safer than packet filters Two layers of inspection (network + application)

The downsides (Nachteile):

Disadvantage Why
Slow compared to packet filters Full L7 parsing on every packet
Protocol-specific software needed A proxy must "understand" each protocol — adding a new one means writing/buying software
Limited protocol support Common protocols (HTTP, FTP, SMTP, telnet) are well-supported; obscure ones aren't
TLS encrypts the content A proxy must perform "MITM" (TLS interception) to inspect HTTPS — controversial

Concrete example — HTTP proxy:

You browse → Proxy receives "GET /malware.exe HTTP/1.1"
            → Proxy checks URL against blocklist
            → URL contains "malware.exe" → BLOCK
            → Returns "403 Forbidden" to you
            → Never opens connection to attacker's server

A packet filter can't do this — it sees TCP/443 flow and that's it.

Tip: When you set up a corporate web proxy (Squid, Blue Coat, Zscaler), you're deploying an HTTP/HTTPS ALG. The browser is configured to use the proxy explicitly (via http_proxy env var or PAC file), and all web traffic passes through it for inspection and policy enforcement.

Go deeper:

From Quiz: INTROL / Firewall Fundamentals | Updated: Jul 14, 2026