10.4 Layer 2 Firewalls | The Practice of Network Security: Deployment Strategies for Production Environments

A relatively new type of firewall has emerged over the last couple of years : Layer 2. Layer 2 firewalls are "invisible"; they sit on the network and watch packets and filter out bad packets, but they are never seen.

The disadvantage to a typical firewall is that it is a destination on the network. A traditional firewall has a public and a private network, so it has addresses that can be attacked . A frustrated intruder, who is unable to bypass the security mechanisms, can attempt to launch a DoS attack against the firewall directly. Many firewalls are set up so that if the firewall application crashes, the server underneath simply becomes a router ”directing traffic from the public to the private network. ^[2]

^[2] Thankfully, this is becoming less common.

Obviously, this can be a serious security problem. If an attacker successfully launches a DoS attack against the firewall, and is able to crash the application, that attacker now has full access to the network.

Many firewall companies, including Check Point and NetScreen, allow their firewalls to be configured in "invisible" mode, which is the same as a Layer 2 firewall. The firewall acts like a bridge joining different network segments, without performing any routing.

Layer 2 firewalls offer several advantages over a traditional firewall:

Because the firewall does not provide an attacker with an IP address it is more difficult to build a network map ”therefore more difficult to find vulnerable devices on the network.
The lack of a public IP address also makes it more difficult for an attacker to determine the type of firewall in place ”making it hard to exploit weaknesses in the firewall.
It is easier to add a firewall to an existing network; Layer 2 firewalls do not require any change in network settings.

A typical network design using a Layer 2 firewall is shown in Figure 10.6. The firewall is placed at the head of the network, just like a typical firewall, but rather than have the firewall act as the gateway for the network, the gateway is pushed to the router, and the firewall simply forwards traffic, similar to a bridge.While a Layer 2 firewall design can be elegant, it can also have problems. Because the network is no longer being broken up into subnets, it is important to carefully architect various segments of the network to prevent sensitive traffic from spilling into areas where it should not be seen.

Figure 10.6. A Layer 2 firewall sits in the same place on the network as a typical firewall, but it does not perform any routing on the network, making it invisible to a casual attacker

graphics/10fig06.gif

Layer 2 firewalls can also make network troubleshooting difficult. Having a device on the network that is directly impacting traffic, but does not show up as a network node, can sometimes create confusion and make spotting network problems more difficult.