Firewall Wizards mailing list archives
RE: Layer 2 firewalls ...
From: "Paul Melson" <pmelson () gmail com>
Date: Tue, 30 Aug 2005 09:52:36 -0400
If we're talking about the same thing, layer 2 firewalls are just bridges that inspect packets and act on them, much the same way a typical network firewall would. You can still perform NAT and its subsets (PAT, port-forwarding, etc.) with a bridging firewall. (OK, *some* bridging firewalls perform NAT, others can't and are junk. ) The main drawback that I am aware of is a lack of flexibility in network architecture surrounding bridges and thus, bridging firewalls. If you want to use routed networks on both sides of your firewall, it must be in the physical path between two routers. This can make fail-over and load-balancing designs more complicated than they otherwise might be if the firewall were a layer 3 hop that could be inserted into a route. Anyway, I don't know how much I buy into the advantage of non-addressed interfaces. If the goal is to keep an attacker from being able to send packets directly to the firewall interfaces while traffic still passes across them, you can use ACLs to filter that traffic on a typical firewall. (Check Point has branded this the "stealth rule." Sounds better than the "duuhrrr rule.") Also, if there's a bug in your firewall code, that bug can likely still be exploited by passing that packet across the bridge. I'm still not sure what I've gained, but now I have a firewall I can't ping. ;) PaulM -----Original Message----- Subject: [fw-wiz] Layer 2 firewalls ... Is anyone aware of any *disadvantages* of layer 2 firewalls? Current marketing seems to be pushing layer 2 firewalls mostly, as far as I can tell, to reduce the possibility of the device being compromised (no ip address.) And it seems to me, that any network using a media of Ethernet could (and should?) be doing this, unless of course, they needed the device to perform layer 3 or 4 utility (e.g., NAT), additionally. I readily admit that I don't possess "link layer" expertise, and thus, I suspect that I must be missing something further, if layer 2 firewalls are indeed a trade-off. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Layer 2 firewalls ... Andrew K. Adams (Aug 29)
- RE: Layer 2 firewalls ... Paul Melson (Aug 30)
- Re: Layer 2 firewalls ... Dale W. Carder (Aug 31)