In order to fully understand ALGs we need to know what exactly they are and why they even came into being in the first place. If you spend much of your time mucking around networks you have probably heard the term “ALG” thrown around a time or two, but what exactly are ALGs and why have they been appearing more and more lately?
Well, the term ALG is actually an abbreviation for “Application Layer/Level Gateway.” Back in the dawn of streaming internet protocols but after internet security became important, network administrators began implementing firewall devices and utilizing NAT (“Network Address Translation”) in order to protect their private networks from harm but still provide all of the usefulness and information that the internet provided.
All of this security and NAT-ing was great at first but problems started to quickly arise. End-users started losing functionality for no apparent reason. As it turns out some of these network administrators were not so good at their jobs and some of the newer streaming protocols were poorly documented. Additionally, some of these newer streaming protocols didn’t play nicely with NAT. What was happening was that the newly installed firewalls were actively blocking certain ports and protocols that these streaming protocols relied upon in order to provide functionality to the end-users or NAT errors were causing the protocol stream to break down or never properly initialize in the first place.
The solution to this was relatively straightforward and easy for a competent network administrator, but as we have already said, some of these NetAdmins were not so competent. Due in part to the rapid pervasiveness of the internet, the world was beginning to see more and more unqualified personnel starting to administer and support networks as well as the average Joe homeowner starting to build out his own personal home network, since the average household was beginning to have more than one internet connected device. The problem at this point was very clear: how do we let unqualified network administrators and homeowners “just plug and play” a device into their private network that allows them to do all of the neat things they have grown accustomed to on the internet, while still maintaining robust network security?
The answer came from the hardware manufacturers in the form of ALGs running on their devices. The purpose of the ALG was to monitor all internet traffic that traversed the device and to dynamically manipulate that traffic as well as dynamically open and close the firewall running on the device based on usage all the while creating and destroying NAT rules and tables in the device itself, according to very specific pre-programmed rules in order to allow certain specific commonly used protocols to function “auto-magically” without any intervention from the end-user or administrator all the while without compromising security in the process. If that sounds complicated to you that’s because it is.
To even further complicate things, many of these emerging protocols were actively undergoing further development and refinement. What this meant was that the pre-programmed set of rules to allow that protocol to function no longer worked correctly due to ongoing changes to the protocol to add features and functionality or fix bugs. Now, that protocol that you depended on for video conferencing or phone calls (think VoIP via SIP or H.323) quit working until the manufacturer released an updated firmware for that device (if you were lucky enough to own a device from a manufacturer kind enough to continue developing for that particular model) which restored the broken functionality. In reality, what ended up happening was some of the more mature protocols functioned well while the newer emerging protocols undergoing constant revision and development broke constantly until they stayed forever broken when the manufacturer dropped support for that particular device. This wasn’t too big of a problem for the average Joe homeowner, as it meant he was only out about $50 and a trip to the local computer store to purchase a “new” router/firewall that was actively being supported. However, for the business customer it is hard to justify spending several hundreds of dollars every year or two on new routers/firewalls just to keep something working that shouldn’t be breaking in the first place. Since business are becoming increasingly more dependent upon some of these more cutting edge protocols they cannot afford to randomly lose that functionality nor be at the mercy of a 3rd party to restore that broken functionality
I strongly urge all network administrators to simple disable all of the ALGs running on their devices and then properly configure the devices to allow the necessary ports and protocols through them so that the functionality they need is there when they need it. Besides, chances are pretty good that if you don’t know how to disable an ALG and properly configure your router/firewall you probably don’t need to be messing around on a network anyway. Those of you who bill by the hour probably should keep the ALGs turned on since you’ll have a constant stream of work troubleshooting all kinds of network issues and upgrading devices for the indefinite future. For everyone else, save yourself the repetitive headaches and disable those ALGs and properly configure your devices the first time and never worry about them breaking again. Besides, you probably have better things to do with your time. I guess we don’t really need those ALGs after all.
Brent Taylor is CTI’s Chief Network and Systems Engineer, and overall technical guru.