A firewall in terms of traditional network configurations serves as a default gateway for hosts connecting to one of its secured subnets. A transparent firewall acts like a “stealth firewall” and it is actually a Layer 2 firewall. In order to implement this, the connection of the security equipment is made to same network on both the internal and external ports. However, there is a separate VLAN for each interface.
Now let’s discuss the characteristics of transparent firewall mode:
- Transparent firewall mode supports outside interface and an inside interface.
- The best thing about transparent firewall mode is that it can run in both the single and multiple context modes.
- Instead of routing table lookups the MAC lookups are performed.
It is quite easy to introduce transparent firewall into a network that is on hand as it is not at all a routed hop, It is not at all essential to do the IP readdressing and its maintenance is easy too. There is also no need of doing the NAT configuration.
Transparent mode serves as a bridge but there is no need to worry about the passing of Layer 3 traffic (IP traffic) from a low security level interface to a higher one.
In order to permit any traffic one can make use of extended ACL by configuring transparent firewalls. If there is no particular ACL, then only the Address Resolution Protocol (ARP) traffic can pass through transparent firewall and ARP inspection can control it. It is important to note that transparent firewalls pass packets that have a valid EtherType more than or equal to 0x600. This means, that IS-IS packets cannot pass through it. There is one exception i.e. BPDUs, which are actually supported.
The addressing of IP should be done in such a manner as if the security appliance is not present in the network. Make sure to have a management IP address for connecting from and to the security appliance and also note that this address must be on the same subnet just like the connected network. In order to differentiate the flow of traffic the Layer 2 device and the security appliance interfaces must be on different VLANs.