Before it can start enforcing access control policies between domains of trust, firewalls need to be inserted in the network topology. The two basic firewall connectivity options, Routed Mode and Transparent Mode, are briefly examined below:
- Routed Mode: in such an arrangement, the firewall works as a Layer 3 element (much like a router) from the perspective of hosts connecting to it. Each of its interfaces is assigned to a different logical subnet and the packets are conditionally routed between them. In the reference scenario, the inside interface has the IP address 192.168.2.2, whereas the outside uses the address 172.20.20.2. Considering that the hosts are interconnected by the firewall, machines on the inside need to configure the address 192.168.2.2 as their L3 gateway in order to reach outside destinations.
- Transparent Mode: the firewall acts as conditional (transparent) bridge, forwarding frames between interfaces using Layer 2 information. In this case, the two interfaces represented in the figure are connected to the same L3 subnet and the inside hosts use the external router (192.168.1.1) as their gateway to reach outside destinations. The great motivation for this connectivity model relates to the fact that the firewall can be inserted in the network without impacting the existent IP addressing scheme (which may be quite convenient in various situations).
A technical term may sound not so intuitive the first time you hear it. For example, during a presentation, a customer once told me that he did not understand why “his transparent firewall was blocking everything“. “After all, it was supposed to be transparent…”
I just registered this situation to emphasize one key point: the term “transparent” relates with “transparent bridging” (the basic bridging technology for Ethernet interfaces). It is used with connectivity in mind and does not imply less security.
Actually, as we will see in other posts, the construction of firewall policies is basically the same for transparent and routed modes.
- Transparent mode is often called bridge mode. (Why ?)
- A transparent firewall is sometimes referred to as a stealth firewall (because it is not used as an L3 gateway).
- A transparent firewall is very interesting to add filtering capabilities between elements that require L3 adjacency. This is the case for two neighbor routers running an Interior Gateway Protocol (IGP) such as OSPF or EIGRP.
- Another common use of a transparent firewall is in a multicast routing scenario. The firewall just bridges the multicast packets and does not participate in multicast routing.
** Topics for Study:
- Do a quick review of transparent bridging technology
- What is a Bridged Virtual Interface (BVI) ?
** Related Posts:
- Routing Series: https://alexandremspmoraes.wordpress.com/tag/routing/
- Bridging Series: https://alexandremspmoraes.wordpress.com/tag/bridging/
- Firewalls Series: https://alexandremspmoraes.wordpress.com/tag/firewalls/