The proper implementation of network appliances is vital to designing and maintaining a properly secured network. Modern networking devices usually integrate multiple functions into one box. For example, most enterprise quality firewalls have built-in malware detection and IPSes or IDSes. Most home and small business routers have built-in firewalls and various WLAN/WiFi configuration features. You must understand how to configure those functions in order to have a properly working network which also provides some protection from security threats that come from the Internet.

Firewalls of all kinds can operate either in routing mode or in bridging mode. A firewall in bridging mode is also known as a transparent firewall. That’s because bridging mode acts only at OSI layer two, so it’s transparent to OSI layer three, where IP addresses work.

In the simplest and smallest network configuration I can think of, a few client machines are connected in a home or small office environment as a local area network. Most frequently, the signal through the wall that an ISP provides goes through a DSL box, which goes through a home router, which then goes to a few devices via Ethernet and WiFi. That home router uses a routing firewall, so no bridging firewalls are present.

In a medium or large network, a LAN is often divided into virutal LANs, and may be connected to a WAN — a wide area network. When a LAN is divided into VLANs, a routing firewall is necessary because subnets are needed, which acts at layer three, as it’s an IP function. Where WANs connect to LANs, bridging firewalls are also used.

So, in both the small scale and large scale scenarios, no bridging firewalls are required for either functionality or security.

Why would you need to implement a transparent bridging firewall in the first place?

Well, with routing firewalls in place, adding bridging firewalls can give your network extra layers of security. More firewalls provide greater mitigation from DDoS attacks and other threats. Also, if you add firewalls, and for some reason malicious traffic is able to get through one of the firewalls, there’s a good chance that it can be stopped by another. Redundancy is usually a good thing in networks, as long as that redundancy is well designed.

Bridging firewalls can complement routing firewalls very well. Unlike when adding routing firewalls, networks don’t need to be redesigned when adding bridges. Plus, it’s less work for a network administrator to monitor an extra bridge than an extra routing firewall. No changes have to be made to network routing or subnetting. An added bonus is that because bridges don’t operate at layer three, the IP address layer, they’re more difficult for an attacker to footprint. The bridges themselves don’t need to have their own IP addresses, just their MAC addresses. They’re likely to be invisible to an attacker.

Keep in mind that although bridges can be added almost like “plug and play,” you must always do some configuration, and make sure that default settings are changed. Changing default settings is a key principle in network security. Very often, attackers will try to attack a network based on the known default settings of the specific device models that are used.

Larger networks sometimes need to offer support for legacy traffic such as IPX. A routing firewall needs IPv4 or IPv6 addressed traffic. So, another use for a transparent firewall can be to act as a bridge between legacy devices and a routing firewall. Make sure that any switches used in such a setup are configured appropriately!

When you buy devices to be used as transparent firewalls, those devices will have many different features including the ability to be set up in routing mode later on. That’s a good thing indeed. Provided that you update firmware and network appliance operating systems as frequently as possible, you should be able to get at least ten years of service out of a new firewall device. Having routing and IDS or IPS functionality built-in gives you the flexibility to set up those devices as routing firewalls and fuller featured network security devices later on, without having to buy new equipment. Keep in mind that you absolutely must have routing firewalls in your network at all times, and it’s the bridges that are optional and complimentary. Being aware of that, if you buy new devices with the purpose of bridging, shop for them the same way you would for any other type of enterprise firewall — they will be the exact same models.

So, What Should You Buy?

When you shop for bridging devices, there are two major considerations.

The first is, which networking appliance and operating system vendor is already in your network? Two of the most common vendor systems you may find are Cisco ASA and Barracuda NG. You’re going to want to buy a device that’s designed for the platform you already use, so that everything in your network can be properly integrated. Your network admins will thank you.

Secondly, you’ll want to consider the volume of traffic that will go through your bridge. Cisco ASA and Barracuda NG firewalls vary in capacity from roughly 100 Mbps to 20 Gbps. It would be a waste of money and network resources to purchase a device with a much larger capacity than you’ll need. In my professional opinion, you should choose a device with a maximum firewall traffic capacity of about 200% of typical traffic. That’s just my guideline though, it may be adjusted according to other variables that are specific to your network, and forecasts for possible future changes to your network. Obviously, the maximum firewall traffic capacity of a device should be at least a bit greater than the maximum traffic volume you see at that point in your network.

Cisco ASA

Here’s an example script of how a transparent firewall might be configured via Cisco ASA 8.x:

ciscoasa#show running-config
: Saved
:
ASA Version 8.0(2)
!

!--- In order to set the firewall mode to transparent mode

firewall transparent
hostname ciscoasa
enable password 8Ry2YjIyt7RRXU24 encrypted
names
!
interface Ethernet0/0
 nameif outside
 security-level 0
!
interface Ethernet0/1
 nameif inside
 security-level 100
!
interface Ethernet0/2
 shutdown
 no nameif
 no security-level
!
interface Ethernet0/3
 shutdown
 no nameif
 no security-level
!
interface Management0/0
 shutdown
 no nameif
 no security-level
 management-only
!
passwd 2KFQnbNIdI.2KYOU encrypted
ftp mode passive
pager lines 24
mtu outside 1500
mtu inside 1500


!--- IP Address for the Management.
!---  Avoid using this IP Address as a default gateway.
!---  The security appliance uses this address as the source address
!---  for traffic originating on the security appliance, such as system
!---  messages or communications with AAA servers. You can also use this
!---  address for remote management access.


ip address 192.168.1.1 255.255.255.0
no failover
icmp unreachable rate-limit 1 burst-size 1



!--- Output Suppressed



service-policy global_policy global
prompt hostname context
Cryptochecksum:d41d8cd98f00b204e9800998ecf8427e
: end
ciscoasa(config)#

Barracuda NG

In Barracuda NG, it’s best to log into your Barracuda NG GUI (graphical user interface) in order to set up your transparent firewall.

The first step is to initialize the bridge. Go to Box>Virtual Servers>name of your server>Assigned Services>Firewall. Click on Firewall Forwarding Settings. Under Configutation, select Layer 2 Bridging, then click on Lock. Under Bridged Interface Group, add an new entry.

The next step is to create firewall rules. Go to Config > Full Config > Box > Virtual Servers >name of your server>Assigned Services > Firewall > Forwarding Rules. Click on Lock. From there, create a “Pass” firewall rule and a “Broad-Multicast” firewall rule.

When you choose the most appropriate devices and configure them properly, transparent bridging firewalls compliment routing firewalls by adding extra layers of security. They aren’t necessary, but their ability to create redundant firewalls without needing to redo your network routing can make them an attractive option for possibly making life more difficult for attackers. Keep in mind that defaults must always be changed, logs must always be monitored, and you will need a variety of networking functions to make your network as secure as reasonably possible.

References

Want to learn more?? The InfoSec Institute CISSP Training course trains and prepares you to pass the premier security certification, the CISSP. Professionals that hold the CISSP have demonstrated that they have deep knowledge of all 10 Common Body of Knowledge Domains, and have the necessary skills to provide leadership in the creation and operational duties of enterprise wide information security programs.

InfoSec Institute's proprietary CISSP certification courseware materials are always up to date and synchronized with the latest ISC2 exam objectives. Our industry leading course curriculum combined with our award-winning CISSP training provided by expert instructors delivers the platform you need in order to pass the CISSP exam with flying colors. You will leave the InfoSec Institute CISSP Boot Camp with the knowledge and domain expertise to successfully pass the CISSP exam the first time you take it. Some benefits of the CISSP Boot Camp are:

  • Dual Certification - CISSP and ISSEP/ISSMP/ISSAP
  • We have cultivated a strong reputation for getting at the secrets of the CISSP certification exam
  • Our materials are always updated with the latest information on the exam objectives: This is NOT a Common Body of Knowledge review-it is intense, successful preparation for CISSP certification.
  • We focus on preparing you for the CISSP certification exam through drill sessions, review of the entire Common Body of Knowledge, and practical question and answer scenarios, all following a high-energy seminar approach.

Layer 2 Firewalls for the Data Center

http://www.networkworld.com/article/2225185/cisco-subnet/layer-2-firewalls-for-the-data-center.html

11 Things About Using a Transparent or Layer 2 Firewall

http://etherealmind.com/11-things-about-using-a-transparent-or-layer-2-firewall/

Routed Mode Versus Transparent Mode in Cisco ASA

http://ccnpsecurity.blogspot.ca/2011/11/routed-mode-versus-transparent-mode-in.html?m=1

Transparent, Bridging Firewall Devices

http://www.symantec.com/connect/articles/transparent-bridging-firewall-devices

PIX/ASA: Transparent Firewall Configuration Example- Cisco

http://www.cisco.com/c/en/us/support/docs/security/pix-500-series-security-appliances/97853-Transparent-firewall.html

How to Configure Transparent Layer 2 Bridging- Barracuda

https://techlib.barracuda.com/display/bngv52/how+to+configure+transparent+layer+2+bridging

Transparent and Routed ASA Basics

http://networkinferno.net/transparent-and-routed-asa-basics