Thursday, November 6, 2014

L2 firewalls ( the good bad and ugly )

In this post we will talk about Layer2 ( aka  transparent  ) firewalls

A lot of networks deploy transparent-modes  firewalls for security within there network topology.  I will list some of the  PROs and CONs for this type of deployment


1: Very little changes are required to install into a existing network

Yes this is  the most common statement heard and it's true. You typically do not need to re-address or change any layer3 addressing. The firewall will be bump in the wire and requires a IN and OUT interface

2: The transparent firewall handle multicast traffic with ease

Will not a big positive since you still have the mcast client, routers and servers, but the passing of multicast packets is typically a new rule or turning on a feature for the allowance of multicast.  You don't have to worry about injecting  or participation of any multicast routing  protocols or modifying the multicast tree.

3: Doesn't require any advance routing skills

Will this should obvious with the name of "L2 firewall". You don't have the  added overhead of l3 protocols, flapping, and route changes or monitoring. This also reduce the knowledge of the  security engineer from knowing  how  to use OSPF, BGP or in cisco case EIGRP

4: The firewall is transparent so it's harder to detect.

Since the firewall is transparent, it will not be detected under a ping sweep, or by other means. It has no L3 address outside of the typical inside management or dedicated management port. These typically aren't exposed to the untrust internet or public facing. The firewall that have IDS/IPS will still inject  client-side reset or drop half-open sessions ( you should never send reset to any external untrust segments imho ). but all of this protection is done via ip_spoof'ing.


1: Redundancy can be harder to achieve or relies on the use of just the STP  layer2 protocols

yes , you have very little to no redundancy  outside of a Spanning Tree protocol that's running.

2: Link failure, mistakes, bad hardware or wiring, can  interrupt your network ad cause loops or  wreck havoc.

Yes, improper design/practices, link failures, uni-directional paths , or STP issues can cause problems. If you run multiple vlans across your inside and outside interfaces, one vlan can tear up a firewall availability very badly , or cause systems wide issues.

3: Transparent firewall are almost 100% harder to run in a HA Active-Active mode

This is primarily due to STP and  multi-paths will be blocked. Since you have no layer3 routing protocols, you  are at the mercy of the layer2 paths. Or will need to look at other alternatives.

4: It is very hard to almost next too impossible to control QoS

You typically can not use traffic shaping or other QoS methods with transparent firewalls.

5: The NAT/PAT thing is pretty much a no-go

Yes you have no addressed interfaces, so you can't readily NAT things. Fortigates have made an exception to this rule, but for the most part you have limited Network Addressing capabilities. Even features like NAT66 or NAT46 is almost extinct in transparent firewall.

6:  Since the firewall maintain a layer2 forwarding database, it's suspect to the same  layer2 LAN attacks and  with mac-address flooding being the most critical.

Good news, this attack is next to impossible to pull off remotely & would require the attacker to be present locally on the wire.

So those are some of the PRO/CONS with the use of layer2 firewalls.

Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix  -----a----t---- socpuppets ---dot---com
   ^      ^
=(  *  * )=
      /  \

No comments:

Post a Comment