The ALG approach has the following major weaknesses:
A relatively small number of ALGs exist to support modern applications, forcing a designer to make unwelcome compromises.
ALGs are frequently not used to their full potential, as many applications are too complex to describe their details to the ALG. For example, it would be beneficial for an ALG protecting a custom web application, to check all sensitive parameters passed between the client and the server. However, this would require extensive customization of the ALG. Such customization is often not practical or may be impossible due to poor communication with developers or non-disclosure of the application protocol, rendering the ALGs as robust as stateful packet filters.
ALGs might require clients to use modified proxy-aware software or modified client settings.
■ As ALGs terminate application sessions, any packet service (header marking, translation), associated with the client is lost outside the ALG, because the ALG sanitizes the IP protocol and hides the client's identity. For example, router Network Address Translation (NAT) and client-specific quality of service (QoS) cannot be deployed with an ALG in path.
■ ALG processing can significantly impact throughput and latency of a firewall system.
Was this article helpful?