In addition to low-level packet filtering (which only inspects packet headers in protocols such as IP, TCP, UDP, and ICMP), cOS Stream provides a set of Application Layer Gateways (ALGs) which can examine and filter traffic at the higher application OSI level.

An ALG object acts as a mediator when accessing Internet hosts outside the protected network. For example, for FTP file transfer and VoIP with SIP. ALGs provide improved security over basic packet filtering since they are capable of performing security checks at a higher level in the TCP/IP stack.

ALGs currently exist for the following protocols:

Deploying an ALG

Each type of ALG has a unique profile object associated with it. The profile object must be associated with an IPRule object in order to apply the ALG to the traffic filtered by the rule. For example, an FTPAlgProfile object is used with an IP rule to activate the FTP ALG. For convenience, cOS Stream provides predefined ALG profile objects. These are read-only but custom profile objects with differing property values can be created by the administrator. For example, an FTPAlgProfile object instance called ftp-passthrough is predefined in cOS Stream.

In addition, the IPRule object must also have a ServiceTCPUDP object specified for its Service property that corresponds to the targeted protocol. The AppProto property of the ServiceTCPUDP object must be set to the targeted protocol. Predefined ServiceTCPUDP objects are provided that can be used for this purpose and that already have the AppProto property correctly set. For example, a predefined ServiceTCPUDP object called ftp can be used with the FTP ALG.