What is an Application Layer Gateway (ALG / Proxy), and how does it differ from a stateful firewall?
An ALG (also called proxy / Stellvertreter) operates at OSI Layer 7 (Application) — it understands the application protocol (HTTP, FTP, SMTP, SIP) and can filter on application-specific content. The firewall acts as a middleman: there's no direct network connection between client and server.
* An ALG terminates two separate connections and inspects Layer 7. *
The fundamental difference:
Stateful FW: Client ────TCP────→ FW ────TCP────→ Server
(one TCP connection passing through)
ALG (Proxy): Client ────TCP────→ Proxy ════TCP════→ Server
(TWO separate connections; FW is a participant)
The proxy terminates the client's connection, inspects the data, then opens its own connection to the server. From the server's view, the proxy is the client.
What ALGs can do (Vorteile):
| Capability | Why it works |
|---|---|
| Easier to configure than packet filters | "Allow HTTP" rather than "allow TCP/80 from /any/ to /any/" |
| No direct connection Internet ↔ Intranet | Attacker can't probe internal hosts directly |
| Immune to L3/L4 spoofing | Attacker would need to compromise the application protocol itself |
| Application-specific filtering | Block specific URLs, MIME types, SQL patterns |
| Generally safer than packet filters | Two layers of inspection (network + application) |
The downsides (Nachteile):
| Disadvantage | Why |
|---|---|
| Slow compared to packet filters | Full L7 parsing on every packet |
| Protocol-specific software needed | A proxy must "understand" each protocol — adding a new one means writing/buying software |
| Limited protocol support | Common protocols (HTTP, FTP, SMTP, telnet) are well-supported; obscure ones aren't |
| TLS encrypts the content | A proxy must perform "MITM" (TLS interception) to inspect HTTPS — controversial |
Concrete example — HTTP proxy:
You browse → Proxy receives "GET /malware.exe HTTP/1.1"
→ Proxy checks URL against blocklist
→ URL contains "malware.exe" → BLOCK
→ Returns "403 Forbidden" to you
→ Never opens connection to attacker's server
A packet filter can't do this — it sees TCP/443 flow and that's it.
Tip: When you set up a corporate web proxy (Squid, Blue Coat, Zscaler), you're deploying an HTTP/HTTPS ALG. The browser is configured to use the proxy explicitly (via http_proxy env var or PAC file), and all web traffic passes through it for inspection and policy enforcement.
Go deeper:
Application firewall — Wikipedia — covers how L7 proxies "understand" FTP/DNS/HTTP and act as reverse proxies between client and server.