Transparent Firewall Approach (Stealth Firewall)
Firewall Software Adaptation 7.0 and after introduces the adequacy to arrange the Security Apparatus in a secure
bridging mode, as a Layer 2 device, to accommodate affluent Layer 2 through 7 firewall services. In a cellophane mode,
the Security Apparatus acts like a "bump in the wire" and is not a router hop. There is no charge to redesign the IP
network (Layer 3 acclamation scheme). The Security Apparatus connects the aforementioned arrangement (IP subnet) on its
inside and alfresco interfaces. The central and alfresco interfaces are put on altered Layer 2 segments if they are
connected on the aforementioned about-face (use different VLAN numbers or use abstracted switches).
In essence, the arrangement is breach into two Layer 2 segments and the apparatus is placed in between, thereby
acting in arch mode, and Layer 3 charcoal unchanged. Alternatively, audience can be affiliated on either side
into two abstracted switches that are absolute of anniversary added (and not affiliated to anniversary added in any way).
Figure 6-3 illustrates this further. Even admitting the firewall is in the arch mode, an ACL is still appropriate to
control and acquiesce all Layer 3 cartage that is casual through the firewall, with the barring of ARP traffic, which
does not charge an ACL. ARP cartage can be controlled with ARP analysis on the firewall.
Figure 6-3. Cellophane Firewall Setup
[View abounding admeasurement image]
Transparent approach does not abutment IP acquisition protocols for cartage casual through the router, because the
firewall is in arch mode. Static routes are acclimated for cartage basic from the apparatus and not for traffic
traversing the appliance. However, IP acquisition protocols through the firewall are supported, as continued as the access
lists on the firewall admittance the protocols to canyon through. OSPF, RIP, EIGRP, and Border Aperture Protocol (BGP)
adjacencies can be accustomed through the firewall in the cellophane mode.
While active in cellophane mode, the Security Apparatus continues to accomplish the stateful analysis with
application-layer intelligence and accomplish all approved firewalling capabilities, including NAT support. NAT
configuration is accurate in software adaptation 8.0 and later. Prior to adaptation 8.0, NAT was not accurate in
transparent mode.
The departure interface for the approachable packets is bent by assuming a MAC abode lookup instead of a
route lookup. The alone Layer 3 acclamation appropriate on the firewall is the administration IP address. The
management IP abode is additionally acclimated as the antecedent IP abode for packets basic from the Security
Appliance, such as arrangement letters or communications with AAA or SYSLOG servers. The administration IP
address charge be on the aforementioned subnet as the affiliated network.
Transparent approach is a acceptable abode to assure the arrangement irenic (camouflage) after the
intruder/attacker audition the actuality of the firewall.
Figure 6-3 shows an archetype of cellophane firewall implementation. The archetype shows three client
workstations with the absence aperture set to upstream router 10.1.1.1. Note that all PCs, the upstream router,
and the administration IP abode are in the aforementioned IP subnet 10.1.1.0/24, but they accept been breach in different
Layer 2 VLANs because all the accessories in the diagram are affiliated into the aforementioned switch. Client workstations
and the central interface of Security Apparatus are set in VLAN 10, and the upstream router and alfresco interface
are set to VLAN 20. Note that if audience and all accessories on both abandon are affiliated to abstracted switches, and
the switches are not affiliated to anniversary added in any way, the VLAN numbers can be the same, or annihilation for
that matter, because they are absolute and do not interconnect.