Firewall Wizards mailing list archives
Re: Layer 2 (stealth) firewalls - PBR?
From: "Darden, Patrick S." <darden () armc org>
Date: Tue, 1 Apr 2008 08:31:06 -0400
I'm going (to try) to address your questions inside your email below. I'll use -- at the beginning of my responses. -----Original Message----- From: firewall-wizards-bounces () listserv icsalabs com [mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of Darren Reed Sent: Monday, March 31, 2008 11:49 PM To: Firewall Wizards Security Mailing List Subject: [fw-wiz] Layer 2 (stealth) firewalls - PBR? If I can interrupt the usual questions for some product requirements discovery.... --Sure, no problem. Over in the networking community on OpenSolaris.org, a couple of us are pondering the question of what it means to do policy based routing (PBR) at the ethernet (MAC) layer. --Oookay. For IP, the use case is well understood and people everywhere do it with firewall software, if only to make up for the inadequacies of their routing tables however when it comes to ethernet, we're kind of scratching our heads....so, some questions.... --I'm scratching my head at this point as well. Does running a stealth (bridging) firewall remove the need for PBR? --Bridging Firewall, afaik, is a really fancy term for "switch". A piece of equipment that sits between two different network segments and determines traffic flow between them based on destination MACs... is a switch. Even if it does, for example, disallow certain MACs based on arbitrary rulesets (e.g. no traffic to HP MACs can cross, thereby keeping finance from using marketing's printers and vice-versa) it is still just a switch using a fancy name, n'est-ce pas? --I am not sure what you could do with advanced PBR functionality at the ethernet level that is not already incorporated via other methods. E.g. multi-link mesh networks are handled by Spanning Tree Protocol.... Is there a specific situation or situations you want or need to address? Do people still do strange, quirky, things to packets even when they don't want them to go through IP? --Yes. People do the craziest things with packets. Not sure what you mean in context though! If you're using bridging to support your firewall (that still filters packets using IP header information), can you shed some light on why/when you want to send packets out a specific NIC regardless of what the forwarding table for the bridge says? --Ah, I can pose a situation or two that might fit the context, albeit due to lack of imagination, not very well. --(Straw Man 1) you have a server with two NICs. A 1Gb NIC and a 10Mb NIC, and both of them are on the same IP network and go to the same segment. The 10Mb was installed first, back in the day, and it has an IP of 128.0.0.1. The 1Gb was installed last week with an IP of 128.0.0.200. Standard IP routing calls for the numerically lower IP to handle all traffic under normal conditions. However, you obviously want your traffic to use the faster link. Now, your server is ancient and has no routing protocols in it. But, through laborious insanity, you manage to install whatever it takes to get Layer 2 PBR working. Now you are set! It might have been easier to just install RIP or upgrade the OS to something modern, or just swap IP addresses on the NICs, however. --(Straw Man 2) Crazy security feature: you set up your network so that the switches have an incorrect ARP table--On Purpose, so if anyone attaches a PC, Mobile, HHPC, etc. they will be unable to get anywhere using the advertised ARP. Meanwhile, you have a transparent Bridging Firewall make the necessary changes to ensure that approved MACs' traffic gets to where it needs to go. Fiendish, and very difficult to administrate. And if you ever left, it would drive the next Network Admin absolutely bonkers. --(Straw Man 3) you might want all traffic echoed out one interface so you can attach an IDS to it (or all vlan X traffic, or etc.). Most switches include this functionality already however. Thanks, Darren --No problem. Not sure if I was able to help. Interesting! --Patrick Darden _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Layer 2 (stealth) firewalls - PBR?, (continued)
- Re: Layer 2 (stealth) firewalls - PBR? Paul D. Robertson (Apr 03)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Paul D. Robertson (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Patrick Darden (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Paul D. Robertson (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 10)
- Layer 2 (stealth) firewalls - PBR? iarenaza (Apr 09)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 10)
- Re: Layer 2 (stealth) firewalls - PBR? lordchariot (Apr 10)
- Message not available
- Re: Layer 2 (stealth) firewalls - PBR? Darren Reed (Apr 08)