Transparent Mode; Overview - D-Link NetDefend DFL-210 User Manual

4.7. Transparent Mode

4.7. Transparent Mode

4.7.1. Overview

Transparent Mode Usage
The NetDefendOS Transparent Mode feature allows a D-Link Firewall to be placed at a point in a
network without any reconfiguration of the network and without hosts being aware of its presence.
All NetDefendOS features can then be used to monitor and manage traffic flowing through that
point. NetDefendOS can allow or deny access to different types of services (for example HTTP) and
in specified directions. As long as users are accessing the services permitted, they will not be aware
of the D-Link Firewall's presence.
Network security and control can therefore be significantly enhanced with deployment of a D-Link
Firewall operating in Transparent Mode but while disturbance to existing users and hosts is
minimized.
Switch Routes
Transparent Mode is enabled by specifying a Switch Route instead of a standard Route in routing
tables. The switch route usually specifies that the network all-nets is found on a specific interface.
NetDefendOS then uses ARP message exchanges over the connected Ethernet network to identify
and keep track of which host IP addresses are located on that interface (this is explained further
below). There should not be a normal non-switch route for that same interface.
In certain, less usual circumstances, switch routes can have a network range specified instead of
all-nets. This is usually when a network is split between two interfaces but the administrator does
not know exactly which users are on which interface.
Usage Scenarios
Two examples of Transparent Mode's usage are:
• Implementing Security Between Users
In a corporate environment, there may be a need to protect the computing resources of different
departments from one another. The finance department might require access to only a restricted
set of services (HTTP for example) on the sales department's servers whilst the sales department
might require access to a similarly restricted set of applications on the finance department's
hosts. By deploying a single D-Link Firewall between the two department's physical networks,
transparent but controlled access can be achieved.
• Controlling Internet Access
An organization allows traffic between the external Internet and a range of public IP addresses
on an internal network. Transparent Mode can control what kind of service is permitted to these
IP addresses and in what direction. For instance the only services permitted in such a situation
may be HTTP access out to the Internet. This usage is dealt with in greater depth below in
Section 4.7.2, "Enabling Internet Access".
Comparison with Routing Mode
The D-Link Firewall can operate in two modes: Routing Mode using non-switch routes or
Transparent Mode using switch routes.
With non-switch routes, the D-Link Firewall performs all the functions of an OSI Layer 3 Router. If
167
Chapter 4. Routing