The proper implementation of network appliances is vital to designing and maintaining a properly secured network. Modern networking devices usually integrate multiple functions into one box. For example, most enterprise quality firewalls have built-in malware detection and IPSes or IDSes. Most home and small business routers have built-in firewalls and various WLAN/WiFi configuration features. You must understand how to configure those functions in order to have a properly working network which also provides some protection from security threats that come from the Internet.

Firewalls of all kinds can operate either in routing mode or in bridging mode. A firewall in bridging mode is also known as a transparent firewall. That’s because bridging mode acts only at OSI layer two, so it’s transparent to OSI layer three, where IP addresses work.

In the simplest and smallest network configuration I can think of, a few client machines are connected in a home or small office environment as a local area network. Most frequently, the signal through the wall that an ISP provides goes through a DSL box, which goes through a home router, which then goes to a few devices via Ethernet and WiFi. That home router uses a routing firewall, so no bridging firewalls are present.

In a medium or large network, a LAN is often divided into virutal LANs, and may be connected to a WAN — a wide area network. When a LAN is divided into VLANs, a routing firewall is necessary because subnets are needed, which acts at layer three, as it’s an IP function. Where WANs connect to LANs, bridging firewalls are also used.

So, in both the small scale and large scale scenarios, no bridging firewalls are required for either functionality or security.

Why would you need to implement a transparent bridging firewall in the first place?

Well, with routing firewalls in place, adding bridging firewalls can give your network extra layers of security. More firewalls provide greater mitigation from DDoS attacks and other threats. Also, if you add firewalls, and for some reason malicious traffic is able to get through one of the firewalls, there’s a good chance that it can be stopped by another. Redundancy is usually a good thing in networks, as long as that redundancy is well designed.

Bridging firewalls can complement routing firewalls very well. Unlike when adding routing firewalls, networks don’t need to be redesigned when adding bridges. Plus, it’s less work for a network administrator to monitor an extra bridge than an extra routing firewall. No changes have to be made to network routing or subnetting. An added bonus is that because bridges don’t operate at layer three, the IP address layer, they’re more difficult for an attacker to footprint. The bridges themselves don’t need to have their own IP addresses, just their MAC addresses. They’re likely to be invisible to an attacker.

Keep in mind that although bridges can be added almost like “plug and play,” you must always do some configuration, and make sure that default settings are changed. Changing default settings is a key principle in network security. Very often, attackers will try to attack a network based on the known default settings of the specific device models that are used.

Larger networks sometimes need to offer support for legacy traffic such as IPX. A routing firewall needs IPv4 or IPv6 addressed traffic. So, another use for a transparent firewall can be to act as a bridge between legacy devices and a routing firewall. Make sure that any switches used in such a setup are configured appropriately!

When you buy devices to be used as transparent firewalls, those devices will have many different features including the ability to be set up in routing mode later on. That’s a good thing indeed. Provided that you update firmware and network appliance operating systems as frequently as possible, you should be able to get at least ten years of service out of a new firewall device. Having routing and IDS or IPS functionality built-in gives you the flexibility to set up those devices as routing firewalls and fuller featured network security devices later on, without having to buy new equipment. Keep in mind that you absolutely must have routing firewalls in your network at all times, and it’s the bridges that are optional and complimentary. Being aware of that, if you buy new devices with the purpose of bridging, shop for them the same way you would for any other type of enterprise firewall — they will be the exact same models.

So, What Should You Buy?

When you shop for bridging devices, there are two major considerations.

The first is, which networking appliance and operating system vendor is already in your network? Two of the most common vendor systems you may find are Cisco ASA and Barracuda NG. You’re going to want to buy a device that’s designed for the platform you already use, so that everything in your network can be properly integrated. Your network admins will thank you.

Secondly, you’ll want to consider the volume of traffic that will go through your bridge. Cisco ASA and Barracuda NG firewalls vary in capacity from roughly 100 Mbps to 20 Gbps. It would be a waste of money and network resources to purchase a device with a much larger capacity than you’ll need. In my professional opinion, you should choose a device with a maximum firewall traffic capacity of about 200% of typical traffic. That’s just my guideline though, it may be adjusted according to other variables that are specific to your network, and forecasts for possible future changes to your network. Obviously, the maximum firewall traffic capacity of a device should be at least a bit greater than the maximum traffic volume you see at that point in your network.

Cisco ASA

Here’s an example script of how a transparent firewall might be configured via Cisco ASA 8.x:

ciscoasa#show running-config
: Saved
ASA Version 8.0(2)

!--- In order to set the firewall mode to transparent mode

firewall transparent
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
interface Ethernet0/0
 nameif outside
 security-level 0
interface Ethernet0/1
 nameif inside
 security-level 100
interface Ethernet0/2
 no nameif
 no security-level
interface Ethernet0/3
 no nameif
 no security-level
interface Management0/0
 no nameif
 no security-level
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500

!--- IP Address for the Management.
!---  Avoid using this IP Address as a default gateway.
!---  The security appliance uses this address as the source address
!---  for traffic originating on the security appliance, such as system
!---  messages or communications with AAA servers. You can also use this
!---  address for remote management access.

ip address
no failover
icmp unreachable rate-limit 1 burst-size 1

!--- Output Suppressed

service-policy global_policy global
prompt hostname context
: end

Barracuda NG

In Barracuda NG, it’s best to log into your Barracuda NG GUI (graphical user interface) in order to set up your transparent firewall.

The first step is to initialize the bridge. Go to Box>Virtual Servers>name of your server>Assigned Services>Firewall. Click on Firewall Forwarding Settings. Under Configutation, select Layer 2 Bridging, then click on Lock. Under Bridged Interface Group, add an new entry.

The next step is to create firewall rules. Go to Config > Full Config > Box > Virtual Servers >name of your server>Assigned Services > Firewall > Forwarding Rules. Click on Lock. From there, create a “Pass” firewall rule and a “Broad-Multicast” firewall rule.

When you choose the most appropriate devices and configure them properly, transparent bridging firewalls compliment routing firewalls by adding extra layers of security. They aren’t necessary, but their ability to create redundant firewalls without needing to redo your network routing can make them an attractive option for possibly making life more difficult for attackers. Keep in mind that defaults must always be changed, logs must always be monitored, and you will need a variety of networking functions to make your network as secure as reasonably possible.


Layer 2 Firewalls for the Data Center

11 Things About Using a Transparent or Layer 2 Firewall

Routed Mode Versus Transparent Mode in Cisco ASA

Transparent, Bridging Firewall Devices

PIX/ASA: Transparent Firewall Configuration Example- Cisco

How to Configure Transparent Layer 2 Bridging- Barracuda

Transparent and Routed ASA Basics