In this post we will talk about Layer2 ( aka transparent ) firewalls
A lot of networks deploy transparent-modes firewalls for security within there network topology. I will list some of the PROs and CONs for this type of deployment
PRO
1: Very little changes are required to install into a existing network
Yes this is the most common statement heard and it's true. You typically do not need to re-address or change any layer3 addressing. The firewall will be bump in the wire and requires a IN and OUT interface
2: The transparent firewall handle multicast traffic with ease
Will not a big positive since you still have the mcast client, routers and servers, but the passing of multicast packets is typically a new rule or turning on a feature for the allowance of multicast. You don't have to worry about injecting or participation of any multicast routing protocols or modifying the multicast tree.
3: Doesn't require any advance routing skills
Will this should obvious with the name of "L2 firewall". You don't have the added overhead of l3 protocols, flapping, and route changes or monitoring. This also reduce the knowledge of the security engineer from knowing how to use OSPF, BGP or in cisco case EIGRP
4: The firewall is transparent so it's harder to detect.
Since the firewall is transparent, it will not be detected under a ping sweep, or by other means. It has no L3 address outside of the typical inside management or dedicated management port. These typically aren't exposed to the untrust internet or public facing. The firewall that have IDS/IPS will still inject client-side reset or drop half-open sessions ( you should never send reset to any external untrust segments imho ). but all of this protection is done via ip_spoof'ing.
CON
1: Redundancy can be harder to achieve or relies on the use of just the STP layer2 protocols
yes , you have very little to no redundancy outside of a Spanning Tree protocol that's running.
2: Link failure, mistakes, bad hardware or wiring, can interrupt your network ad cause loops or wreck havoc.
Yes, improper design/practices, link failures, uni-directional paths , or STP issues can cause problems. If you run multiple vlans across your inside and outside interfaces, one vlan can tear up a firewall availability very badly , or cause systems wide issues.
3: Transparent firewall are almost 100% harder to run in a HA Active-Active mode
This is primarily due to STP and multi-paths will be blocked. Since you have no layer3 routing protocols, you are at the mercy of the layer2 paths. Or will need to look at other alternatives.
4: It is very hard to almost next too impossible to control QoS
You typically can not use traffic shaping or other QoS methods with transparent firewalls.
5: The NAT/PAT thing is pretty much a no-go
Yes you have no addressed interfaces, so you can't readily NAT things. Fortigates have made an exception to this rule, but for the most part you have limited Network Addressing capabilities. Even features like NAT66 or NAT46 is almost extinct in transparent firewall.
6: Since the firewall maintain a layer2 forwarding database, it's suspect to the same layer2 LAN attacks and with mac-address flooding being the most critical.
Good news, this attack is next to impossible to pull off remotely & would require the attacker to be present locally on the wire.
So those are some of the PRO/CONS with the use of layer2 firewalls.
Ken Felix
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( * * )=
o
/ \
No comments:
Post a Comment