10

After searching some information on the Internet, I found only two advantages of a transparent firewall:

  • "Stealth" mode, i.e., it became an invisible host on the network
  • Installs easily into an existing network without modifying the Internet Protocol (IP) address

But this looks like a bit incomplete and maybe groundless. It seems that there should be some more good reasons for vendors (or open-source fellows) to implement such a mode and for customers to buy (use) this functionality.

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
z0lupka
  • 139
  • 1
  • 11

2 Answers2

6

The biggest reason I know of? . A large part of the reason IPv6 was proposed was to get around the address exhaustion problem of IPv4 and get rid of the 'ugly hack' that is . Because of the IPv4+NAT combination, far too many people automatically assume that == which is not the case. Nearly all firewalls can do NAT, but not all NAT solutions can do firewall.

IPv6 assumes an unmasked network, which causes some problems with people used to everything being masked. In an IPv6 network you are much safer assuming that a 'public' IPv6 address is no guarantee of routeability.

But it's not just IPv6. The university I used to work for had a /16 IPv4 allocation when I worked there. They had desktops with 'public' IP addresses on them. Yet they were still firewalled because our firewalls were working in 'transparent' mode. We had the address space, why not? It also made certain use-cases easier to handle without having to play NAT port-forwarding and public-ip-assignment games.


If your definition of transparent means an L2 security service, the use-cases there are common even in IPv4 networks.

  • AWS Security Groups operate like this for their , Virtual Private Cloud, and other services.
  • Azure Security Groups operate similarly.
  • It's been a while since I worked with it, but I believe VMWare ESX networks had a similar option.

These systems are the core of network security in the major public cloud providers. You define a list of allow/deny rules, and they apply to the resource. In AWS this is the interface of the EC2 instance, Lambda, or other service. The firewall doesn't exist on the box like an iptables, but below the virtual machine. This makes it a transparent L2 device.

sysadmin1138
  • 131,083
  • 18
  • 173
  • 296
  • Thank you for your answer! But I still didn't get how the **transparent** mode helps with IPv6.. :( Did you mean that with IPv6 there is no need of L3-NAT? Okay, but we can still use L3-firewall with IPv6-routing, doesn't it? What is the need of transparent/bridge mode? – z0lupka Jan 05 '22 at 09:27
  • Perhaps you mean "extra routing".. but I'm not sure I got it right – z0lupka Jan 05 '22 at 09:40
  • 3
    _"They had desktops with 'public' IP addresses on them. Yet they were still firewalled because our firewalls were working in 'transparent' mode."_ -- err, you can well have a regular routing firewall with public IP addresses on both sides, right? Or am I misunderstanding what "transparent" here means? – ilkkachu Jan 05 '22 at 10:06
  • 1
    @sysadmin1138 Your IPv6 example and university example doesn't correspond to the "transparent firewall" as defined under the given link. Those aren't necessary "invisible"; in both cases there could be ordinary routers, not "invisible". The core idea here is not ommiting any NAT, but that the filtering is moved to L2. It is there was no such fancy firewall in the university network. – Nikita Kipriyanov Jan 05 '22 at 18:52
  • @NikitaKipriyanov I've updated the answer to include some concrete examples about where that technique is in common usage. – sysadmin1138 Jan 06 '22 at 18:19
  • I don't have definite knowledge how AWS or Azure internally implement their security groups etc. However, I see no point of them implementing them as transparent firewalls (layer 2 bridge, which intercepts packets between the two bridge segments). That would only add unnecessary complexity to the system without real benefits. I would think they would implement normal L3 firewalls, where there are two different IP subnets in different sides of the firewall. – Tero Kilkanen Jan 11 '22 at 15:55
  • @TeroKilkanen AWS provably performs IP-based security filtering between hosts on the same L2 network. Not only that, they allow filtering based on additional non-IP attributes such as the security-group itself. Their virtual interface really does do both inbound and outbound security filtering based on an access control list. – sysadmin1138 Jan 11 '22 at 18:42
3

You may have a requirement that some hosts must reside within the same LAN segment and at the same time, they require very different security policies. For example, you may want to be in the same network as your AD domain controllers (DCs), and yet you want to secure them and separate from the rest of the network somehow.

For this, you add a transparent firewall. On one side, you'll have your DCs, on the other side you'll have the rest, and still they may live inside a single network, like 192.168.5.0/24, and think happily they don't have any L3 devices between them. And all of them will have the same default gateway, which will likely be deployed on the "insecure" side.

The other case could be be when it comes to really firewall bridged traffic. E.g., there are services which even don't know what IP, IPv6 or any other L3 is, and they are communicating using raw Ethernet frames. ATA over Ethernet (AoE) first came to mind. I've seen some industrial automation that communicate using raw Ethernet. And when it comes to ascertain the AoE shelfs are accessible to only certain known hosts, you will use something like these "bridge-firewalls".

Peter Mortensen
  • 2,319
  • 5
  • 23
  • 24
Nikita Kipriyanov
  • 8,033
  • 1
  • 21
  • 39
  • *"you may want to be in the same network as your AD Domain Controllers, and yet you want to secure them"* - but doesn't this can be implemented through ACL-filtering between vlans? – z0lupka Jan 05 '22 at 12:04
  • *"you will use something like these "bridge-firewalls""* - Okay, this is something like bridge filtering, without L3. Heard about this.. – z0lupka Jan 05 '22 at 12:07
  • 1
    This transparent firewall **is** the entity which is supposed to do some "ACL-filtering between vlans". – Nikita Kipriyanov Jan 05 '22 at 14:09
  • Sorry, but didn't get it. ACL-filtering between vlans can do every regular switch, doesn't it? It's the switch functionality. So seems that there is no need to have the whole firewall and deploy it in transparent mode.. Maybe I'm wrong – z0lupka Jan 05 '22 at 22:42
  • Speaking your words, any router might do packet filtering and VPN termination, doesn't it? Doesn't it render any dedicated firewalls and VPN boxes redundant? So, while some basic filtering can be done within a switch or router itself, when it comes to more sophisticated things, like high-level matching (DPI) and IPS integration, we use specialized devices. We need them on both layers, obviously, and "transparent firewall" is the one for the layer 2. – Nikita Kipriyanov Jan 06 '22 at 16:31
  • 1
    Thank you! *"requirement that some hosts must reside within the same LAN segment and at the same time, they require very different security policies"* - doesn't ARP-proxy solve this? – z0lupka Jan 06 '22 at 17:43
  • No. Proxy ARP makes two distinct LAN segments with L3 router in between. These LANs share the same network (or one is a subset of another), which is why it appears similar. This setup only can directly pass IP packets, and even for IP certain quirks are needed, like DHCP-helper. Other protocols (like AoE I mentioned) wouldn't work at all. This is not comparable with true transparent firewall, which allows you to create truly contigous L2 segment, but firewall the part of it. – Nikita Kipriyanov Jan 06 '22 at 18:02