Felix Blank 10.04.2012 Drawbridge – Invisible “Bridge Mode Firewalls” in Use for Business Author: Felix Blank, Head of QA, gateprotect AG, Hamburg Gartner has been predicting it for several years: The need for firewalls that can do more than just filtering ports and protocols will continue to grow. Business procedures are based on the fast and secure movement of data across the network. Web-based, virtualized and interconnected with traditional infrastructures in a complex manner. Almost inevitably, security guidelines and technologies are becoming the crux of the matter. Besides the usual deployment as a network firewall, there is a further practicable way of using firewalls. Firewalls of this type are called “Transparent Firewalls“, “Bridge-Mode Firewalls“ or “Stealth Firewalls“. In the equally named mode, they are invisible in the network since they do not have any IP address. On one hand, they conduct inspections invisibly in their own network. On the other hand, even potential attackers are unable to connect to them. A normal firewall acts as a central router or Internet gateway in the network. The IP address of the firewall must be entered as a gateway on all computers in the local network. In the above- described “bump-in-the-wire“ configuration, however, the firewall is not supposed to change an existing network. A firewall that is “transparent” in the IP network must not be visible at this level. Figure 1 Packet Layers The different protocol layers of the network traffic are represented by the OSI reference model (= Open Systems Interconnection Reference Model). The first layer includes the physical transmission of electrical impulses. Layer 2 is a connection layer that mostly forwards Ethernet frames. The addressing is done with media access control addresses (MAC addresses). With these hardware addresses of each network adapter, a device can be identified precisely within the network of computers. On layer 3, there is primarily the Internet protocol, which delivers the packets based on IP addresses, layer 4 includes the transmission protocol TCP (Transmission Control Protocol) and the UDP (User Datagram Protocol). The layers 5 and 6 are not relevant for transparent firewalls; for modern firewalls it is only important to inspect the top layer, layer 7. This is where web and SPAM filters as well as Application Control are doing their job. One Can do Without: Transparent Firewalls do not Need any IP Addresses Transparent firewalls work on the OSI layer 2. Like switches in the local Ethernet, they do not need any IP addresses, but are using the MAC addresses for transmitting Ethernet frames. Transparent firewalls assume the role of a switch in the network, accepting Ethernet frames and forwarding them unchanged to the computers addressed. Thus, the firewall remains invisible. Compared to a switch, however, a transparent firewall does considerably more: … Layer 2 Layer 3 Layer 4 … Layer 7
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Felix Blank 10.04.2012
Drawbridge – Invisible “Bridge Mode Firewalls” in Use for Business Author: Felix Blank, Head of QA, gateprotect AG, Hamburg
Gartner has been predicting it for several years: The need for firewalls that can do more than just filtering ports and protocols will continue to grow. Business procedures are based on the fast and secure movement of data across the network. Web-based, virtualized and interconnected with traditional infrastructures in a complex manner. Almost inevitably, security guidelines and technologies are becoming the crux of the matter. Besides the usual deployment as a network firewall, there is a further practicable way of using firewalls. Firewalls of this type are called “Transparent Firewalls“, “Bridge-Mode Firewalls“ or “Stealth Firewalls“. In the equally named mode, they are invisible in the network since they do not have any IP address. On one hand, they conduct inspections invisibly in their own network. On the other hand, even potential attackers are unable to connect to them.
A normal firewall acts as a central router or Internet gateway in the network. The IP address of the firewall must be entered as a gateway on all computers in the local network. In the above-described “bump-in-the-wire“ configuration, however, the firewall is not supposed to change an existing network. A firewall that is “transparent” in the IP network must not be visible at this level.
Figure 1 Packet Layers
The different protocol layers of the network traffic are represented by the OSI reference model (= Open Systems Interconnection Reference Model). The first layer includes the physical transmission of electrical impulses. Layer 2 is a connection layer that mostly forwards Ethernet frames. The addressing is done with media access control addresses (MAC addresses). With these hardware addresses of each network adapter, a device can be identified precisely within the network of computers. On layer 3, there is primarily the Internet protocol, which delivers the packets based on IP addresses, layer 4 includes the transmission protocol TCP (Transmission Control Protocol) and the UDP (User Datagram Protocol). The layers 5 and 6 are not relevant for transparent firewalls; for modern firewalls it is only important to inspect the top layer, layer 7. This is where web and SPAM filters as well as Application Control are doing their job.
One Can do Without: Transparent Firewalls do not Need any IP Addresses
Transparent firewalls work on the OSI layer 2. Like switches in the local Ethernet, they do not need any IP addresses, but are using the MAC addresses for transmitting Ethernet frames. Transparent firewalls assume the role of a switch in the network, accepting Ethernet frames and forwarding them unchanged to the computers addressed. Thus, the firewall remains invisible.
Compared to a switch, however, a transparent firewall does considerably more:
… Layer 2 Layer 3 Layer 4 … Layer 7
Felix Blank 10.04.2012
Figure 2 Switch vs. Transparent Firewall
A switch forwards frames without checking them. This may be a virus, a forbidden website, a SPAM mail or an MP3 file. The transparent firewall does indeed accept layer 2 packets and forwards them as well, but inside the firewall, all protocol layers are inspected and filtered.
Figure 3 Operation of a Transparent Firewall
The connection of a transparent firewall is effected via bridges instead of network cards with IP addresses. Under a Linux firewall, this works on a normal network card as a bridge interface. In this case, the interface is not named “eth0”, as usual, but “br0”. Network interfaces of different layers can be combined, and a transparent firewall can have IP addresses on certain interfaces. The firewall administrator is given a separate network interface for connecting with the IP of the firewall in order to set it up and monitor it.
Inside, all firewall rules such as antivirus, web and content filter are functioning. By means of deep packet inspection, each packet is unpacked and analyzed throughout the layers 2 to 7.
Felix Blank 10.04.2012
Transparent Firewalls are Practical
In small company networks, transparent firewalls may replace switches and constitute a complete firewall at the same time. This “bump-in-the-wire“ scenario does not change anything in the network. The different network segments such as the director’s computer, the file server, the technical and sales network remain in one IP network and only have to be connected to several network interfaces of the transparent firewall. All connections in this network pass through the interconnected firewall.
For example, a file server with small security lacks does no longer need to be available via all TCP/UDP ports, but only via the service ports to be used by the server. Viruses, SPAM, undesired websites are not allowed to enter.
Internet
Technik VertriebChef
FileserverDrucker
DSL-‐Router
Transparente Firewall
Figure 4 Bump-in-the-wire Scenario
A transparent firewall can do even more: It can be deployed between the Internet gateway and the local network without being noticed in order to collect information.
Internet
Technik VertriebChef
FileserverDrucker
DSL-‐Modem
Normale Firewall
Transparente Firewall
Figure 5 Transparent Monitoring Firewall
It conducts analyzes throughout all OSI layers and monitors the entire network traffic. In doing so, it unperceivedly generates statistics on the use of bandwidth and data volume by each IP address as well as detailed website and email assessments.
Felix Blank 10.04.2012
In addition, the Deep Packet Inspection recognizes all used TCP/UDP ports as well as protocols down to the last detail.
Mixed IPv4-/IPv6 Networks without any Compliance Risk
Often large parts of a network infrastructure are only IPv6-capable and allow for IPv6 traffic as a matter of principle, even if only IPv4 operation is allowed. If there is already IPv6 traffic in the network, applicable compliance guidelines are violated. An appliance deployed as a transparent bridge analyzes the entire data traffic and blocks it if necessary.
Conclusion
Not even transparent firewalls are perfect: The delivery of a substitute website when blocking a URL that is forbidden by the firewall or the display of a SPAM quarantine website are only possible if the transparent firewall has an IP address. This mixed (layer 2 and layer 3) mode may be easy to configure, but at this point, there is no more invisibility. And: For setting up a transparent firewall, extensive network and firewall knowledge is required.
Related Documents
