An application level gateway, or application gateway, is a type of firewall proxy used for network security. Application gateways filter incoming node traffic according to predetermined specifications — only filtering transmitted network application data such as file transfer protocol (FTP), telnet, real time streaming protocol and BitTorrent.
How Application-Level Gateways Work
Acting as a proxy for application servers and protocols like FTP, an application layer gateway uses deep packet inspection to detect and block malicious traffic before starting an application session or allowing traffic to pass through to applications.
When a client requests access to networked server resources (like web pages, databases, or files), the client connects first with the proxy server, which establishes a connection with the main server. Application gateways are located on the client and server firewall.
At a high level, the proxy server hides IP addresses (and other secure information) on a client’s behalf. The application gateway and external computer communicate without client information or knowledge of the proxy server IP address.
Application level gateways employ deep packet inspection to function. These tools are capable of understanding protocols used by the specific applications they support. Here’s an example:
Application level gateways can allow firewall traversal with a session initiation protocol (SIP). If the network’s firewall has SIP traffic terminated on an application level gateway, then responsibility for considering and permitting SIP sessions is passed to the application level gateway versus the firewall.
In many ways, application level gateways are quite similar to proxy servers as they sit between clients and servers, facilitating communication exchanges. Essentially, application level gateways work without the application being configured to use it, by intercepting messages. A proxy, however, is typically configured in the client application — here, the client is explicitly aware of the proxy and connects to it instead of the real server.
Application-Level Gateway Features
Application gateways typically include the following functions:
- Permitting client applications to use dynamic TCP/UDP ports to communicate with known ports used by server applications, despite any firewall configuration that may allow for only a limited number of known ports.
- Converting the network layer address information located inside application payloads between acceptable host addresses on both sides of a firewall — in other words, serving as a gateway between addresses.
- Identifying application-specific commands and providing granular-level security controls over those commands.
- Synching multiple data streams or sessions between two exchange hosts.
- Prevent network device timeout before the file transfer completes.
- Deep packet inspection.
Benefits and Disadvantages of Application-Level Gateways
There are several key benefits or advantages and disadvantages to consider when deciding whether to use an application level gateway.
Application level gateway benefits
- Helping to prevent attacks like SQL injections, cross-site scripting, and distributed denial of service.
- Increased data protection and regulatory data handling compliance including GDPR and CCPA.
- Ensuring better compliance with regulations like HIPAA and PCI.
- Adding automation that can free up team resources.
Application level gateway disadvantages
There are a few potential challenges or disadvantages to consider when deciding whether to invest in application level gateway technology, including:
- Cost considerations (these solutions can be pricey).
- Performance issues: because application level gateways inspect all traffic, incoming and outgoing, at the application level (deep packet inspection), the system can become bogged down if it is not robust enough to handle this strain on computing/networking resources.
- Every protocol (FTP, Telnet, HTTP, SMTP, and so on) requires its own proxy application — support for new network applications and protocols is often slow to emerge.
- There is a risk agents will allow traffic to tunnel through the firewall, negating much of the benefit of having an application level gateway.
- Application level gateways can be challenging for less experienced security analysts to install, configure, and manage.
Explore 7 different types of firewalls and their deployment options.
Application-Level Gateway Firewall Costs
Application level gateway costs vary widely by each organization’s needs. As a general rule, application gateway firewalls can run anywhere from $10 per month into thousands of dollars per month for large enterprise network needs.
Microsoft Azure Application Gateway, a popular application level gateway product, currently charges $0.0246 per fixed “gateway hour” and $0.0008 per “capacity unit hour.”
Top 10 Application-Level Gateway Providers
These application level gateway providers are among the most popular and well-rated:
- Microsoft: Azure Application Gateway
- AWS: Elastic Load Balancing
- Google: Google Cloud Load Balancing
- F5: BIG-IP Local Traffic Manager
- Citrix: ADC
- HAProxy Enterprise: HAProxy
- Kemp: LoadMaster
- HashiCorp: Consul
- F5: NGINX
When Should You Use an Application-Level Gateway?
If any of these use cases apply, you may benefit from an application level gateway:
- Routing traffic based on information in your host headers.
- Support for protocols like FTP, Telnet, HTTP, HTTPS and WebSockets (some application gateway providers cover additional protocols, but most cover these).
- Customizing security controls for a web application firewall.
- Distributed Denial of Service protection.
- SQL injection protection.
- Compliance with regulations related to data privacy.
Bottom Line: Application-Level Gateways
Application level gateways provide additional security for enterprise networks that can benefit from a proxy approach to gatekeeping. They are also useful for beefing up data security protocols when enterprises need to ensure they are in compliance with various data privacy industry and government regulations. However, because application level gateways operate by performing deep packet inspection, these security solutions can slow down network performance and can be expensive.
Learn more about how firewalls work.