There are some additional benefits of Transparent Bridge comparing to routing firewall: 1. Firewall can be completely transparent. Only way to know that device even exists is to have devices on both sides of the firewall and port scanning through firewall (or by physically checking this fact)
2. Firewall doesn't have to have ip-address. This means that the network security cannot be compromised by attacking firewall using IP. (this can still be done on Layer 2 but usually attacker doesn't have access to network segment) However because of 1. bridging firewall also somewhat breaks the idea of subnet/broadcast domain and can make troubleshooting problems difficult. Also they have usually somewhat limited protocol suite / ip-level functionality compared to routing firewalls. rgds, Harri -----Original Message----- From: ext Jason Yuan [mailto:[EMAIL PROTECTED]] Sent: 10 January, 2002 21:58 To: Kotakoski Harri (EXT-Novosys/Copenhagen); [EMAIL PROTECTED] Subject: RE: Sonicwall Soho2 I have a soho(1) and I noticed the same thing. I can use the box either as a bridge type of configuration, or rely on the built-in NAT if I want to use a different network address on the inside. The question I have is that what is the security implication of a bridge type of device vs. a router type of FW? Jason [EMAIL PROTECTED] wrote: > From: ext Dave Crocker [mailto:[EMAIL PROTECTED]] > At 10:56 AM 1/9/2002 +0200, [EMAIL PROTECTED] wrote: > >Well, first thing to understand is that Sonicwall is > transparent bridge > >not a router. > The Sonicwall Soho (not 2) that I have had for a couple of years is a > router. It also does NAT and a set of firewall filtering functions. > > The device is definitely not a bridge. That is, it very > clearly works at > the IP level, rather than at layer 2. Lets not confuse these things over here. 1. Sonicwall is a bridge. (at least dmz and wan interfaces are in same subnet, in non NAT configuration also lan) 2. Sonicwall is filtering traffic based on layer 3 information. 3. Sonicwall has ip address for management functionality. (so it's present also on layer 3) 4. Sonicwall ! has limited capability acting as a router in NAT configuration but it is not a router (it is probably just doing source and destination NAT to connections). 5. Sonicwall can emulate router functionality by sending ICMP redirects The difference between routing firewall and bridging firewall is that routing firewall is configured as a gateway to all network segments connected to it. Bridging firewall is relaying traffic on Layer 2. So from layer 3 perspective clients are sending traffic to routing firewall but in the case of bridge it is just flowing through (or not, depending on the installed policy). rgds, Harri (And Sonicwall doesn't mention this on their website, which could be quite confusing) _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls Jason Yuan Security Consultant Niles Associa! tes Do You Yahoo!? Send FREE video emails in Yahoo! Mail. _______________________________________________ Firewalls mailing list [EMAIL PROTECTED] http://lists.gnac.net/mailman/listinfo/firewalls
