Bridging vs Riuting firewalls...
The main strength of a bridged firewall to me is the fact that it only exists
virtually on the network.
How to attack a firewall that you cannot address directly?
Even when you are connected to the same network/switch you will not be able to find
the firewall, unless you know what you are
looking for.
Implementation wise a bridging/routing firewall offers you a few advantages over a
routed one.
1. when you have to add the firewall to an already existing network, you do not need
to reconfigure any other device on the
network, your addressing schemes and routing stays exactly the same, the only downtime
you will have is due to the fact that
you have to connect the cabels. (and even that can be solved by using vlan's on your
switches and just swapping the upstream
routers interface into a separate vlan together with the downstream interface of the
firewall.
- Since you do not need to change your routing topology you do not need to creat more
transit subnets, and thus you save IP
addresses.
- When changing routing topologies often many devices will have to have their
configuration changed. With a bridged firewall
this is not needed.
2. Putting multiple firewalls in series to create for example more ports becomes very
easy, although for example with the
Lucent BRICK this isnot necesary since it supports VLAN tagging and with a VLAN
capable switch you can create virtually any
number of "virtual" firewalls you might need, and give them all their own ruleset.
No need for recabling and expensive upgrades.
3. In general purpose build devices are less vulnerable, a purpose build firewall does
not depend on the operating system of
the router/platform it is running at, lowering the chance of being penetrated due to
bugs in code other than for the firewall.
(as Nokia, Checkpoint, Cisco etc.)
4. When both your routing services and firewall services are based on one device, then
everytime you need to make changes to
the routing you will probably also have to change your firewwall configuration,
creating more downtime.
Of course not all bridging firewalls are the same, my only bridging firewall
experience is with the Lucent Managed Firewall or
BRICK which does both bridging and routing at the same time if need, and therefor can
be easily deployed in any situation, I
have not come across a setup that I could not realise.
Greetings,
Diederik Schouten
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
