- Static Versus Dynamic Filtering
- Router Mode Versus End-System Mode Firewalls
- Router-Controlled Failover Using Mirrored Router-Mode Firewalls
Router Mode Versus End-System Mode Firewalls
The distinction between router mode and end-system mode has a major impact on a redundant firewall network design. This may come as a surprise, given that the impact on a conventional network is so minimal that the distinction is usually ignored by the firewall specialist. Indeed, router mode versus end-system mode is often confused with proxy-mode versus pass-through mode considerations, which can impact security but have no impact on network design.
End-system mode firewall usage is compatible with any addressing scheme on either network because neither the inside nor the outside network has any visibility into the existence of the other network. There is no need for the IP addresses used on either side of the firewall to be unique. This allows the firewall to effectively link networks with overlapping address space, a common requirement when communicating between two organizations using RFC 1918 private addresses. As long as there is address space in each network to be used by its side of the firewall and the application being supported uses a protocol that the firewall knows how to proxy (or one that doesn't need to be proxied because no addressing information is carried as part of the protocol payload), communications can proceed safely and securely.
When running in router mode, the routing that was automatic in end-system mode must now be performed manually. Since there is no IP subnetwork containing the IP addresses used for destinations on the other side of the firewall, you need to distribute knowledge of the correct path to use throughout the inside network. In a small network, you might include a static route on every inside router. In larger networks, this quickly becomes impractical; you'll usually configure the firewall access routers to redistribute the appropriate static routes into their routing domain.
The challenge is that you can only configure your routers to provide automatic protection against firewall failures when the firewalls can be treated by the routers as routers. The problem is that you can't support two end-systems with the same IP address, which is what would be required for one end-system mode firewall to duplicate a specific service provided by another end-system mode firewall. When the firewalls are using router mode, there's no problem, because having multiple routes to a single IP address is just business as usual.
In some environments, the choice of running the firewalls in router mode is not available. Providing automatic failover when the firewalls are running in end-system mode is significantly more difficult than when they're running in router mode. While it can be done, be forewarned that the solution is not pretty. Multiple tricks must be used to make the firewalls appear to the routers as router-mode firewalls (even though they aren't), and then you must NAT the addresses used by the firewalls in order to present a consistent address appearance to the users. While it can be done, the resulting configurations are much more complex and place strict constraints on address assignments.