Firewall Wizards mailing list archives

Re: Layer 2 (stealth) firewalls - PBR?

From: "Darden, Patrick S." <darden () armc org>
Date: Tue, 1 Apr 2008 08:31:06 -0400


I'm going (to try) to address your questions inside your email below.
I'll use -- at the beginning of my responses.


-----Original Message-----
From: firewall-wizards-bounces () listserv icsalabs com
[mailto:firewall-wizards-bounces () listserv icsalabs com]On Behalf Of
Darren Reed
Sent: Monday, March 31, 2008 11:49 PM
To: Firewall Wizards Security Mailing List
Subject: [fw-wiz] Layer 2 (stealth) firewalls - PBR?


If I can interrupt the usual questions for some product requirements
discovery....

--Sure, no problem.

Over in the networking community on OpenSolaris.org, a couple of
us are pondering the question of what it means to do policy based
routing (PBR) at the ethernet (MAC) layer.

--Oookay.

For IP, the use case is well understood and people everywhere do
it with firewall software, if only to make up for the inadequacies of
their routing tables however when it comes to ethernet, we're kind
of scratching our heads....so, some questions....

--I'm scratching my head at this point as well.

Does running a stealth (bridging) firewall remove the need for PBR?

--Bridging Firewall, afaik, is a really fancy term for "switch".  A piece
of equipment that sits between two different network segments and
determines traffic flow between them based on destination MACs... is
a switch.  Even if it does, for example, disallow certain MACs based
on arbitrary rulesets (e.g. no traffic to HP MACs can cross, thereby
keeping finance from using marketing's printers and vice-versa) it
is still just a switch using a fancy name, n'est-ce pas?

--I am not sure what you could do with advanced PBR functionality 
at the ethernet level that is not already incorporated via other
methods.  E.g. multi-link mesh networks are handled by Spanning Tree 
Protocol....  Is there a specific situation or situations you want
or need to address?

Do people still do strange, quirky, things to packets even when they
don't want them to go through IP?

--Yes.  People do the craziest things with packets.  Not sure what 
you mean in context though!

If you're using bridging to support your firewall (that still filters
packets using IP header information), can you shed some light on
why/when you want to send packets out a specific NIC regardless
of what the forwarding table for the bridge says?

--Ah, I can pose a situation or two that might fit the context,
albeit due to lack of imagination, not very well.

--(Straw Man 1) you have a server with two NICs.  A 1Gb NIC and a 
10Mb NIC, and both of them are on the same IP network and go to
the same segment.  The 10Mb was installed first, back in the day,
and it has an IP of 128.0.0.1.  The 1Gb was installed last week
with an IP of 128.0.0.200.  Standard IP routing calls for the 
numerically lower IP to handle all traffic under normal conditions.
However, you obviously want your traffic to use the faster link.
Now, your server is ancient and has no routing protocols in it.
But, through laborious insanity, you manage to install whatever
it takes to get Layer 2 PBR working.  Now you are set!  It might
have been easier to just install RIP or upgrade the OS to something
modern, or just swap IP addresses on the NICs, however.

--(Straw Man 2) Crazy security feature: you set up your network
so that the switches have an incorrect ARP table--On Purpose, so
if anyone attaches a PC, Mobile, HHPC, etc. they will be unable to
get anywhere using the advertised ARP.  Meanwhile, you have a
transparent Bridging Firewall make the necessary changes to ensure
that approved MACs' traffic gets to where it needs to go.  Fiendish,
and very difficult to administrate.  And if you ever left, it would
drive the next Network Admin absolutely bonkers.

--(Straw Man 3) you might want all traffic echoed out one interface
so you can attach an IDS to it (or all vlan X traffic, or etc.).  
Most switches include this functionality already however.

Thanks,
Darren

--No problem.  Not sure if I was able to help.  Interesting!
--Patrick Darden

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Layer 2 (stealth) firewalls - PBR?, (continued)
- - - Re: Layer 2 (stealth) firewalls - PBR? Paul D. Robertson (Apr 03)
    - Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 08)
    - Re: Layer 2 (stealth) firewalls - PBR? Paul D. Robertson (Apr 08)
    - Re: Layer 2 (stealth) firewalls - PBR? Patrick Darden (Apr 08)
    - Re: Layer 2 (stealth) firewalls - PBR? Paul D. Robertson (Apr 08)
    - Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 10)
    - Layer 2 (stealth) firewalls - PBR? iarenaza (Apr 09)
    - Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 10)
    - Re: Layer 2 (stealth) firewalls - PBR? lordchariot (Apr 10)
    - Message not available
    - Re: Layer 2 (stealth) firewalls - PBR? Darren Reed (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Darden, Patrick S. (Apr 02)
- Re: Layer 2 (stealth) firewalls - PBR? Cat Okita (Apr 08)
- Re: Layer 2 (stealth) firewalls - PBR? Paul D. Robertson (Apr 10)