Download (direct link):
Layer 3 Firewalls
As the name indicates, Layer 3 firewalls operate like a Layer 3 switch from the network-behavior perspective. We must configure the Layer 3 routing information on the firewall so that it can route the packets appropriately. When the firewall receives a packet, it first applies security and access control policies to determine whether this packet should be allowed or dropped. If it is allowed, the firewall determines the next hop for the packet based on the destination-IP address in the packet. Check Point, Nokia, and NetScreen are among several vendors that provide Layer 3 firewalls.
Layer 2 Firewalls
Layer 2 firewalls operate like a Layer 2 switch from the network perspective. There is no need to configure any Layer 3 routing information on this firewall. Once the firewall decides to forward a packet, it simply does so based on Layer 2 information, such as the destination MAC address. Lucent’s Brick is an example of a Layer 2 firewall.
Whether the firewall type is Layer 2 or Layer 3, the firewall can examine whatever layer of information it needs in the packet for security and access control. Once firewalls decide to forward the packet, the firewalls differ in how they forward the packet based on the firewall type.
Proxy firewalls terminate the connection and communicate to the other side, acting as the client’s proxy. For example, if host A from the internal network initiates a connection to host B in the Internet, the proxy firewall appears as host B to host A and vice versa. By terminating the connection, the firewall can determine exactly what the user intends to do as part of the connection and decide whether to allow it or not. Gauntlet, from Network Associates, is an example of a proxy firewall.
In this chapter we will focus on load-balancing Layer 2 and Layer 3 firewalls. Proxy firewalls can also be viewed as Layer 3 firewalls with some differences.
Network Design for Layer 3 Firewalls Network Design for Layer 3 Firewalls
Let’s now discuss how the overall network configuration looks for load-balancing Layer 3 firewalls, as shown in Figure 6.7.
Nrluutk dn^n whrn I Ik* kutl baLaiirrv art* a* a l-ayrr 2 «Irvirr
Figure 6.7: Network design for Layer 3 firewalls.
Let’s first discuss the case where the load balancer acts as a Layer 2 device. In this case, router A must be configured to point to a firewall IP address as the next hop in order to reach the internal network because the firewall is the next Layer 3 device after router A. The firewalls see router B as the next hop to reach the internal network and router A as the next hop to reach the outside network.
Since there are multiple firewalls, the router must point to one of the firewall IP addresses as the next hop. Let’s say we configure the router to point to firewall 1 as the next hop. In order to perform routing, the router uses Address Resolution Protocol (ARP) to find the MAC address for firewall 1, which is configured as the next hop IP address. The router uses a time-out mechanism to refresh its ARP tables to find any updates. If the ARP age-out timer is five minutes, the router clears the ARP entry for firewall 1 after 5 minutes and tries to find its MAC address again. If firewall 1 is functioning, we have no problem. But if firewall 1 goes down, router A will consider the next hop to be down and will not forward any packets destined to the internal network. Even though we have another firewall working, the traffic will not be passed appropriately. To avoid this, one must configure a static ARP entry on the router. In this case, that means configuring the MAC address of firewall 1 manually on the router. With this approach, the router will not attempt to find the MAC address of its next hop through ARP. Instead, it uses the a statically configured value. Even if firewall 1 goes down, router A will forward the packets onto the next hop, firewall 2. But once load balancer 1 receives the packets, it performs firewall load balancing. That means distributing the packets across available firewalls while ensuring session persistence. If firewall 1 is down, load balancer 1 will send the traffic through firewall 2.
Because the firewall is a Layer 3 device, when router A sends packets to the internal network, it sets the destination MAC address to the MAC address of firewall 1, the next hop. As part of load balancing, if the load balancer decides to send the packet to firewall 2, the load balancer must change the destination MAC address to that of firewall 2 before forwarding the packet to firewall 2. Once firewall 2 decides to allow the packet, it changes the destination MAC address to router B, it’s next hop, to reach the internal network.
Let’s now consider the case where the load balancer acts as a Layer 3 device. That means, it’s functioning as a router. Router A can now be pointed to load balancer 1 as the next hop, in order to reach the internal network. There is no need to configure a static ARP entry in the router because the router’s next hop is not pointed toward one of the firewalls.