Transparent Mode; Overview Of Transparent Mode; Comparison With Routing Mode; Transparent Mode Implementation - D-Link NetDefend DFL-210 User Manual

4.5. Transparent Mode

4.5. Transparent Mode

4.5.1. Overview of Transparent Mode

Deploying D-Link Firewalls operating in Transparent Mode into an existing network topology can
significantly strengthen security. It is simple to do and doesn't require reconfiguration of existing
nodes. Once deployed, NetDefendOS can then allow or deny access to different types of services
(eg. HTTP) and in specified directions. As long as users of the network are accessing permitted ser-
vices through the D-Link Firewall they are not aware of its presence. Transparent Mode is enabled
by specifying a Switch Route instead of a standard Route.
A typical example of Transparent Mode's ability to improve security is in a corporate environment
where there might be a need to protect different departments from one another. The finance depart-
ment might require access to only a restricted set of services (eg. HTTP) on the sales department's
servers whilst the sales department might require access to a similarly restricted set of applications
on the finance department's network. By deploying a single D-Link Firewall between the two de-
partment's networks, transparent but controlled access can be achieved using the Transparent Mode
feature.
Another example might be an organisation allowing traffic between the external internet and a range
of public IP address' on an internal network. Transparent mode can control what kind of service is
permitted to these IP addresses and in what direction. For instance the only services permitted in
such a situation may be HTTP access out to the internet.

4.5.2. Comparison with Routing mode

The D-Link Firewall can operate in two modes: Routing Mode or Transparent Mode. In Routing
Mode, the D-Link Firewall performs all the functions of a Layer 3 router; if the firewall is placed in-
to a network for the first time, or if network topology changes, the routing configuration must there-
fore be thoroughly checked to ensure that the routing table is consistent with the new layout. Recon-
figuration of IP settings may be required for pre-existing routers and protected servers. This mode
works well when complete control over routing is desired.
In Transparent Mode, where Switch Route is used instead of Route, the firewall acts in a way that
has similarities to a switch; it screens IP packets and forwards them transparently to the correct in-
terface without modifying any of the source or destination information on the IP or Ethernet levels.
Two benefits of Transparent Mode are:
• When a client moves from one interface to another without changing IP address, it can still ob-
tain the same services as before (eg. HTTP, FTP) without routing reconfiguration.
• The same network address range can exist on several interfaces.

4.5.3. Transparent Mode implementation

In transparent mode, NetDefendOS allows ARP transactions to pass through the D-Link Firewall,
and determines from this ARP traffic the relationship between IP addresses, physical addresses and
interfaces. NetDefendOS remembers this address information in order to relay IP packets to the cor-
rect receiver. During the ARP transactions, neither of the endpoints will be aware of the firewall's
presence.
Note
D-Link Firewalls need not operate exclusively in Transparent Mode but can combine
Transparent Mode with Routing Mode to operate in a hybrid mode. That is to say, the
firewall can have both Switch Routes as well as standard routes defined. It is also
possible to create a hybrid case by applying address translation on otherwise trans-
parent traffic.
88
Chapter 4. Routing