Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    ALG Descriptions

    This topic provides details about Application Layer Gateways (ALGs) supported under the Junos OS Service Framework (JSF). It includes the following:

    Supported ALGs

    Table 1 lists ALGs supported by JSF.

    Table 1: ALGs Supported Under JSF

    ALGs Supported

    v4 - v4

    v4 - v6

    v6 - v6

    Basic TCP ALG

    Yes

    No

    No

    Basic UPD ALG

    Yes

    No

    No

    DCE RPC Services

    Yes

    No

    No

    DNS

    Yes

    No

    No

    FTP

    Yes

    No

    No

    MSRPC

    Yes

    No

    No

    PPTP

    Yes

    No

    No

    Sun RPC and RPC Port Map Services

    Yes

    No

    No

    RTSP

    Yes

    No

    No

    SIP

    Yes

    No

    No

    SQLNET

    Yes

    No

    No

    TALK

    Yes

    No

    No

    Unix Remote Shell Service

    Yes

    No

    No

    ALG Support Details

    ALG support includes managing pinholes and parent-child relationships for the supported all ALGs. This section includes details about the following ALGs:

    Basic TCP ALG

    This ALG performs basic sanity checking on TCP packets. If it finds errors, it generates the following anomaly events and system log messages:

    • TCP source or destination port zero
    • TCP header length check failed
    • TCP sequence number zero and no flags are set
    • TCP sequence number zero and FIN/PSH/RST flags are set
    • TCP FIN/RST or SYN(URG|FIN|RST) flags are set

    The TCP ALG performs the following steps:

    1. When the router receives a SYN packet, the ALG creates TCP forward and reverse flows and groups them in a conversation. It tracks the TCP three-way handshake.
    2. The SYN-defense mechanism tracks the TCP connection establishment state. It expects the TCP session to be established within a small time interval (currently 4 seconds). If the TCP three-way handshake is not established in that period, the session is terminated.
    3. A keepalive mechanism detects TCP sessions with nonresponsive endpoints.
    4. Internet Control Message Protocol (ICMP) errors are allowed only if there is a flow that matches the selector information specified in the ICMP data.

    Basic UDP ALG

    This ALG performs basic sanity checking on UDP headers. If it finds errors. it generates the following anomaly events and system log messages:

    • UDP source or destination port 0
    • UDP header length check failed

    The UDP ALG performs the following steps:

    1. When it receives the first packet, the ALG creates bidirectional flows to accept forward and reverse UDP session traffic.
    2. If the session is idle for more than the maximum allowed idle time (the default is 30 seconds), the flows are deleted.
    3. ICMP errors are allowed only if there is a flow that matches the selector information specified in the ICMP data.

    DCE RPC Services

    Distributed Computing Environment (DCE) Remote Procedure Call (RPC) services are mainly used by Microsoft applications. The ALG uses well-known TCP port 135 for port mapping services. and uses the universal unique identifier (UUID) instead of the program number to identify protocols. The main application-based DCE RPC is the Microsoft Exchange Protocol.

    Support for stateful firewall and network address translation (NAT) services requires that you configure the DCE RPC portmap ALG on TCP port 135. The DCE RPC ALG uses the TCP protocol with application-specific UUIDs.

    DNS

    The Domain Name Service (DNS) ALG handles data associated with locating and translating domain names into IP addresses. The ALG typically runs on port 53. The ALG monitors DNS query and reply packets and supports only UDP traffic. The ALG does not support payload translations. The DNS ALG will only close the session when a reply is received or an idle timeout is reached.

    FTP

    FTP is the File Transfer Protocol, specified in RFC 959. In addition to the main control connection, data connections are also made for any data transfer between the client and the server; and the host, port, and direction are negotiated through the control channel.

    For non-passive-mode FTP, the Junos OS stateful firewall service scans the client-to-server application data for the PORT command, which provides the IP address and port number to which the server connects. For passive-mode FTP, the Junos OS stateful firewall service scans the client-to-server application data for the PASV command and then scans the server-to-client responses for the 227 response, which contains the IP address and port number to which the client connects.

    There is an additional complication: FTP represents these addresses and port numbers in ASCII. As a result, when addresses and ports are rewritten, the TCP sequence number might be changed, and thereafter the NAT service needs to maintain this delta in SEQ and ACK numbers by performing sequence NAT on all subsequent packets.

    Support for stateful firewall and NAT services requires that you configure the FTP ALG on TCP port 21 to enable the FTP control protocol. The ALG performs the following tasks:

    • Automatically allocates data ports and firewall permissions for dynamic data connection
    • Creates flows for the dynamically negotiated data connection
    • Monitors the control connection in both active and passive modes
    • Rewrites the control packets with the appropriate NAT address and port information

    MSRPC

    MSRPC is a modified version of DCE/RPC. Additions include support for Unicode strings, implicit handles, inheritance of interfaces.

    ONC RPC Services

    Open Networks Computing (ONC) RPC services function similarly to DCE RPC services. However, the ONC RPC ALG uses TCP/UDP port 111 for port mapping services and uses the program number to identify protocols rather than the UUID.

    Support for stateful firewall and NAT services requires that you configure the ONC RPC portmap ALG on TCP port 111. The ONC RPC ALG uses the TCP protocol with application-specific program numbers.

    PPTP

    The Point-to-Point Tunneling Protocol (PPTP) ALG is a TCP-based ALG. PPTP allows the Point-to-Point Protocol (PPP) to be tunneled through an IP network. PPTP defines a client-server architecture, a PPTP Network Server, and a PPTP Access Concentrator. The PPTP ALG requires a control connection and a data tunnel. The control connection uses TCP to establish and disconnect PPP sessions, and runs on port 1723. The data tunnel carries PPP traffic in generic routing encapsulated (GRE) packets that are carried over IP.

    RPC and RPC Portmap Services

    The Remote Procedure Call (RPC) ALG uses well-known ports TCP 111 and UDP 111 for port mapping, which dynamically assigns and opens ports for RPC services. The RPC Portmap ALG keeps track of port requests and dynamically opens the firewall for these requested ports. The RPC ALG can further restrict the RPC protocol by specifying allowed program numbers.

    The ALG includes the RPC services listed in Table 2.

    Table 2: Supported RPC Services

    Name

    Description

    Comments

    rpc-mountd

    Network File Server (NFS) mount daemon; for details, see the UNIX man page for rpc.mountd(8).

    The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050).

    rpc-nfsprog

    Used as part of NFS. For details, see RFC 1094. See also RFC1813 for NFS v3.

    The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050).

    rpc-nisplus

    Network Information Service Plus (NIS+), designed to replace NIS; it is a default naming service for Sun Solaris and is not related to the old NIS. No protocol information is available.

    The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050).

    rpc-nlockmgr

    Network lock manager.

    The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-nlockmgr service can be allowed or blocked based on RPC program 100021.

    rpc-pcnfsd

    Kernel statistics server. For details, see the UNIX man pages for rstatd and rpc.rstatd.

    The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-rstat service can be allowed or blocked based on RPC program 150001.

    rpc-rwall

    Used to write a message to users; for details, see the UNIX man page for rpc.rwalld.

    The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-rwall service can be allowed or blocked based on RPC program 150008.

    rpc-ypbind

    NIS binding process. For details, see the UNIX man page for ypbind.

    The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-ypbind service can be allowed or blocked based on RPC program 100007.

    rpc-yppasswd

    NIS password server. For details, see the UNIX man page for yppasswd.

    The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-yppasswd service can be allowed or blocked based on RPC program 100009.

    rpc-ypserv

    NIS server. For details, see the UNIX man page for ypserv.

    The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-ypserv service can be allowed or blocked based on RPC program 100004.

    rpc-ypupdated

    Network updating tool.

    The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-ypupdated service can be allowed or blocked based on RPC program 100028.

    rpc-ypxfrd

    NIS map transfer server. For details, see the UNIX man page for rpc.ypxfrd.

    The base support is RPC v2 and the port mapper service on port 111 (see RFC 1050). Once the RPC program table is built, rpc-ypxfrd service can be allowed or blocked based on RPC program 100069.

    Support for stateful firewall and NAT services that use port mapping requires that you configure the RPC portmap ALG on TCP/UDP destination port 111 and the RPC ALG for both TCP and UDP. You can specify one or more rpc-program-number values to further restrict allowed RPC protocols.

    RTSP

    The Real-Time Streaming Protocol (RTSP) controls the delivery of data with real-time properties such as audio and video. The streams controlled by RTSP can use RTP, but it is not required. Media can be transmitted on the same RTSP control stream. This is an HTTP-like text-based protocol, but both client and server maintain session information. A session is established using the SETUP message and terminated using the TEARDOWN message. The transport (the media protocol, address, and port numbers) is negotiated in the setup and the setup-response.

    Note: RTSP interleaved mode is not supported.

    Support for stateful firewall and NAT services requires that you configure the RTSP ALG for TCP port 554.

    The ALG monitors the control connection, opens flows dynamically for media (RTP/RTSP) streams, and performs NAT address and port rewrites.

    SIP

    The Session Initiation Protocol (SIP) is an application layer protocol that can establish, maintain and terminate media sessions. It is a widely used voice over IP (VoIP) signaling protocol. The SIP ALG monitors SIP traffic and dynamically creates and manages pinholes on the signaling and media paths. The ALG only allows packets with the correct permissions. The SIP ALG also performs the following functions:

    • Manages parent-child session relationships.
    • Enforces security policies.
    • Manages pinholes for VoIP traffic.

    Starting with Junos OS Release 11.4, the SIP ALG supports Network Address Translation (NAT) and stateful firewall configuration on JSF. The SIP ALG supports the following features:

    • Stateful firewall
    • Static source NAT
    • Dynamic address only source NAT
    • Network Address Port Translation (NAPT)

    Note: The SIP ALG does not support destination NAT, class of service (CoS), or multicast.

    At present, the SIP ALG does not support the following features:

    • Encryption and authentication of SIP messages
    • Transport of SIP messages over TCP

    SQLNet

    The SQLNet protocol is used by Oracle SQL servers to execute SQL commands from clients, including load balancing and application-specific services.

    Support of stateful firewall and NAT services requires that you configure the SQLNet ALG for TCP port 1521.

    The ALG monitors the control packets, opens flows dynamically for data traffic, and performs NAT address and port rewrites.

    Talk

    The Talk protocol is used for interactive communication between two users. The Talk ALG on the caller negotiates with the Talk program on the receiver about the socket that will be used for the data connection. The Talk ALG has the capability to parse Talk packets, perform Network Address Translation (NAT), and open TCP and UDP gates. The payload contains only client address and port information.

    UNIX Remote-Shell Services

    UNIX remote-shell service is supported. Remote command execution; enables a user on the client system to execute a command on the remote system. The first command from client (rcmd) to server (rshd) uses well-known TCP port 514. A second TCP connection can be opened at the request of rcmd. The client port number for the second connection is sent to the server as an ASCII string.

    Support of stateful firewall services requires that you configure the Shell ALG on TCP port 514. NAT remote-shell services require that any dynamic source port assigned be within the port range 512 through 1023. If you configure a NAT pool, this port range is reserved exclusively for remote shell applications. NAPT is not supported for remote-shell.

    Published: 2012-07-02

    Previous Page Next Page