> It is quite obvious. If the device doesn't have Layer 3 address it cannot be
>attacked on Layer 3.
>
> However usually bridging firewalls have layer 3 address for monitoring and
>management purposes and it causes some
vulnerability to the solution.
Having layer 3 capabilities is required now-a-days, especialy when you are dealing
with NAT and protocol awareness for
opening dynamic ports etc. A management address on a bridged firewall is just as
vulnerable as one on a routed firewall.
Most of the time it's not realy the management interface (and I do not mean an
physical interface) that causes the
vulnrability, but the way the firewall is managed and if it provides services like
Telnet, SNMP etc. etc.
> The most important factor of bridging firewalls is that they can be totally
>transparent to other devices (both in layer 2
and 3) which will make it a lot harder to get the actual network topology of the
environment.
Exactly.
> Because of that it can also cause some headache to network troubleshooting.
Bridged firewalls only cause headaches when you try to implement them the same way as
routed ones :)
Network troubleshooting bridged or routed does not make a difference, if a device is
unreachable it is generaly a routing or
filtering issue, and that will be the same on both bridged as routed firewalls.
When troubelshooting traffic, first thing to check is what can block the traffic
between point A and B, and this is not
different from a routed or bridged perspective.
What do you experience to be more hard in a bridged situation?
Bridged firewalls normally only bridge specific types of traffic to and from specified
locations, unless of course the
administrator of the firewall is still using wildcards everywhere...
The chain is only as strong as its weakest link.
And indeed most of the time it is due to human error networks get compremised.
> So, to answer your question. Bridging Firewall has advantage against routing
>firewall in this security aspect.
> However there are many other things to consider and this is not the most important
>one and not even so close to the top.
For me it is most important how secure my firewall is, isn't that what its all about?
Building the most secure solution?
I'd be very interested in the list of more important aspects.
Greetings,
Diederik
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
