RE: [fw-wiz] Layer 2 firewalls ...
From: Paul Melson (pmelson_at_gmail.com)
To: "'Andrew K. Adams'" <firstname.lastname@example.org>, <email@example.com> Date: Tue, 30 Aug 2005 09:52:36 -0400
If we're talking about the same thing, layer 2 firewalls are just bridges
that inspect packets and act on them, much the same way a typical network
firewall would. You can still perform NAT and its subsets (PAT,
port-forwarding, etc.) with a bridging firewall. (OK, *some* bridging
firewalls perform NAT, others can't and are junk. )
The main drawback that I am aware of is a lack of flexibility in network
architecture surrounding bridges and thus, bridging firewalls. If you want
to use routed networks on both sides of your firewall, it must be in the
physical path between two routers. This can make fail-over and
load-balancing designs more complicated than they otherwise might be if the
firewall were a layer 3 hop that could be inserted into a route.
Anyway, I don't know how much I buy into the advantage of non-addressed
interfaces. If the goal is to keep an attacker from being able to send
packets directly to the firewall interfaces while traffic still passes
across them, you can use ACLs to filter that traffic on a typical firewall.
(Check Point has branded this the "stealth rule." Sounds better than the
"duuhrrr rule.") Also, if there's a bug in your firewall code, that bug can
likely still be exploited by passing that packet across the bridge. I'm
still not sure what I've gained, but now I have a firewall I can't ping. ;)
Subject: [fw-wiz] Layer 2 firewalls ...
Is anyone aware of any *disadvantages* of layer 2 firewalls?
Current marketing seems to be pushing layer 2 firewalls mostly, as far as I
can tell, to reduce the possibility of the device being compromised (no ip
address.) And it seems to me, that any network using a media of Ethernet
could (and should?) be doing this, unless of course, they needed the device
to perform layer 3 or 4 utility (e.g., NAT), additionally.
I readily admit that I don't possess "link layer" expertise, and thus, I
suspect that I must be missing something further, if layer 2 firewalls are
indeed a trade-off.
firewall-wizards mailing list