RE: [fw-wiz] Layer 2 firewalls ...

From: Paul Melson (pmelson_at_gmail.com)
Date: 08/30/05

  • Next message: Michael Cox: "[fw-wiz] firewall rule lifecycle management"
    To: "'Andrew K. Adams'" <akadams@psc.edu>, <firewall-wizards@honor.icsalabs.com>
    Date: Tue, 30 Aug 2005 09:52:36 -0400
    
    

    If we're talking about the same thing, layer 2 firewalls are just bridges
    that inspect packets and act on them, much the same way a typical network
    firewall would. You can still perform NAT and its subsets (PAT,
    port-forwarding, etc.) with a bridging firewall. (OK, *some* bridging
    firewalls perform NAT, others can't and are junk. )

    The main drawback that I am aware of is a lack of flexibility in network
    architecture surrounding bridges and thus, bridging firewalls. If you want
    to use routed networks on both sides of your firewall, it must be in the
    physical path between two routers. This can make fail-over and
    load-balancing designs more complicated than they otherwise might be if the
    firewall were a layer 3 hop that could be inserted into a route.

    Anyway, I don't know how much I buy into the advantage of non-addressed
    interfaces. If the goal is to keep an attacker from being able to send
    packets directly to the firewall interfaces while traffic still passes
    across them, you can use ACLs to filter that traffic on a typical firewall.
    (Check Point has branded this the "stealth rule." Sounds better than the
    "duuhrrr rule.") Also, if there's a bug in your firewall code, that bug can
    likely still be exploited by passing that packet across the bridge. I'm
    still not sure what I've gained, but now I have a firewall I can't ping. ;)

    PaulM

    -----Original Message-----
    Subject: [fw-wiz] Layer 2 firewalls ...

    Is anyone aware of any *disadvantages* of layer 2 firewalls?

    Current marketing seems to be pushing layer 2 firewalls mostly, as far as I
    can tell, to reduce the possibility of the device being compromised (no ip
    address.) And it seems to me, that any network using a media of Ethernet
    could (and should?) be doing this, unless of course, they needed the device
    to perform layer 3 or 4 utility (e.g., NAT), additionally.

    I readily admit that I don't possess "link layer" expertise, and thus, I
    suspect that I must be missing something further, if layer 2 firewalls are
    indeed a trade-off.

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Michael Cox: "[fw-wiz] firewall rule lifecycle management"

    Relevant Pages

    • Re: iptables and dhcp
      ... > the same physical network segment as the firewall and the remote DHCP ... You used INPUT and not FORWARD chain ... # This target allows packets to be marked in the mangle table ...
      (comp.os.linux.networking)
    • Re: Please help interpret Sygate Personal Firewall traffic log (ndisuio.sys)
      ... namely that these NDIS User Mode IO driver requests come ... Then your firewall is working - don't worry about it. ... and is never used to actually send/receive data packets. ... OrgName: RIPE Network Coordination Centre ...
      (comp.security.firewalls)
    • Re: strange network traffic
      ... Maybe not so wise to not have a firewall and trust a third party lurker to ... Subject: strange network traffic ... > -> connection established, following packets have neither SYN nor ...
      (Security-Basics)
    • Re: 8Signs PC Firewall Problem
      ... > First a little understanding of my network setup... ... > If I turn 8 Signs PC Firewall Off, ... > the packets in realtime. ... > I was wondering if it's buffer problem, as in the buffer on the lan ...
      (comp.security.firewalls)
    • Re: Network scanning: Continued (newbie)
      ... ARP requests are handled a layer under IP. ... > egress packets impossible on layer 1. ... > should be pretty silent if put that firewall ruleset on it. ... > The recent conversation titled network scanning inspired me to ask the ...
      (Security-Basics)