Some key problems in the design of Firewall (2)

Source: Internet
Author: User
Tags functions implement key firewall

4. Transparency

The transparency of the firewall means that the firewall is transparent to the user, when the firewall is connected to the network, the network and the user do not need to do any setup and the change, also do not realize the firewall existence at all.

Firewall as a physical device, if you want to put into the existing network without any impact on the network, you must be in the way of Network Bridge. In the traditional way, firewall installation, more like a router or gateway, the original network topology often needs to change, network equipment (including host and router) settings (IP and gateway, DNS, routing table, etc.) also need to change. However, if the firewall uses transparent mode, that is, to run like a network bridge, users will not have to reset and modify the route, and do not need to know the location of the firewall, the firewall can be installed directly and put into the network to use.

The biggest advantage of transparent mode is that there is no need to make any changes to the existing network, which is convenient for many customers, moreover, it is easy to switch from transparent mode to non-transparent mode, and the applicability is obviously wider. Of course, at this time the firewall only acts as a firewall, other gateway location functions such as NAT, VPN function no longer applicable, of course, other functions such as transparent agent can continue to use.

At present, the implementation of transparent mode can be implemented by ARP Proxy and routing technology. At this point the firewall is equivalent to the function of an ARP proxy. Intranet (which can still contain routers or subnets, and so on), firewalls, routers are located roughly as follows:

Intranet ――――― Firewall ――――― router

(To be explained, this is the most campus network to achieve the network level)

Intranet host to achieve transparent access, must be able to transparently transfer between the intranet and router ARP packet, and at this time because of the fact that the intranet and routers can not connect, the firewall must be configured as an ARP proxy (ARP proxy) between the network host and routers to pass the ARP packet. What the firewall has to do is when the router sends an ARP broadcast packet to ask the hardware address of a host in the intranet, the firewall uses the MAC address of the interface of the router to send the ARP packet; When a host in the intranet sends an ARP broadcast packet to ask the router's hardware address, Firewall and intranet connected interface of the MAC address loopback ARP packet, so routers and intranet hosts think that the packet sent to the other side, but is actually sent to the firewall forwarding.

Obviously, the firewall must also implement routing forwarding, so that packets between the internal and external network can be transparently forwarded. In addition, the firewall to play a role in the firewall, obviously also need to pass the packet to the Application layer processing (at this time to implement the application layer agent, filtering and other functions), at this time need port forwarding to achieve (?) This place is not very clear, also did not find the relevant information. The biggest difference between transparent and non-transparent modes on the network topology is: Transparent mode of two network cards (connected to the router and connected to the intranet) in a network segment (also and subnet in the same network segment), while the non-transparent mode of two network cards belong to two network segments (intranet may be an internal routing address, The extranet is the legal address).

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.