adam's notes

Firewall Selection and Placement

  • firewalls can be implemented as:
    • hardware appliance
    • software running on computing host
  • some firewalls are better for:
    • placement at network or segment borders
    • others are designed to protect individual hosts
  • selection of a network firewall depends on the volume of traffic it has to process
    • single firewall can represent a network bottleneck if it is not able to handle the required traffic volume

An appliance firewall is a stand-alone hardware firewall that performs only the function of a firewall.

  • functions are implemented on the appliance firmware
  • a type of network-based firewall
  • monitors all traffic passing into and out of a network segment
  • 3 ways to implement:
    • Routed (layer 3)
      • firewall performs forwarding between subnets
      • Each interface on the firewall:
        • connects to a different subnet
          • represents a different security zone
        • is configured with an IP and MAC address
    • Bridged (layer 2)
      • firewall inspects traffic passing between two nodes
        • e.g., router and a switch
      • bridges the Ethernet interfaces between the two nodes, working like a switch
      • can inspect and filter traffic on the basis of the full range of packet headers
        • despite working at layer 2
      • interfaces are configured with MAC addresses
        • but not IP addresses
    • Inline (layer 1)
      • firewall acts as a cable segment
      • two interfaces don’t have MAC or IP addresses
      • Traffic received on one interface is either blocked or forwarded over the other interface
      • referred to as virtual wire, bump-in-the-wire firewall
    • bridged and inline firewall modes can be referred to as transparent modes
      • typical use case
        • deploy a firewall without having to reconfigure subnets and reassign IP addresses on other devices
      • e.g., deploy a transparent firewall in front of a web server host without having to change the host’s IP address
      • could be placed between a router and a switch

Info

A transparent firewall needs an additional interface for management and configuration.

  • This does have an IP address
  • A routed firewall can either
    • have a dedicated management interface
    • or accept management traffic on any interface
  • Using a dedicated management interface is more secure

A router firewall has firewall functionality built into the router firmware.

  • similar to appliance firewall
    • but router appliance is primarily designed for routing
      • with a firewall as a secondary feature
  • most SOHO Internet routers/modems have this type of firewall functionality
    • typically limited to supporting a single subnet within the home network
  • enterprise-class firewall would be able to support far more sessions

Graph View

Backlinks