D-Link NetDefendOS User Manual page 380

• Implementing Security Between Users
In a corporate environment, there may be a need to protect the computing resources of
different departments from one another. The finance department might require access to
only a restricted set of services (HTTP for example) on the sales department's servers whilst
the sales department might require access to a similarly restricted set of applications on the
finance department's hosts. By deploying a single NetDefend Firewall between the two
department's physical networks, transparent but controlled access can be achieved.
• Controlling Internet Access
An organization allows traffic between the external Internet and a range of public IPv4
addresses on an internal network. Transparent mode can control what kind of service is
permitted to these IP addresses and in what direction. For instance the only services
permitted in such a situation may be HTTP access out to the Internet. This usage is dealt with
in greater depth below in Section 4.8.2, "Enabling Internet Access".
Comparison with Routing Mode
The NetDefend Firewall can be regarded as operating in either of two modes:
• Routing Mode using non-switch routes.
• Transparent Mode using switch routes.
With non-switch routes, the NetDefend Firewall acts as a router and routing operates at layer 3 of
the OSI model. If the firewall is placed into a network for the first time, or if network topology
changes, the routing configuration must therefore be checked and adjusted to ensure that the
routing table is consistent with the new layout. Reconfiguration of IP settings may be required
for pre-existing routers and protected servers. This works well when comprehensive control over
routing is desired.
With switch routes, the NetDefend Firewall operates in transparent mode and resembles a OSI
Layer 2 Switch in that it screens IP packets and forwards them transparently to the correct
interface without modifying any of the source or destination information at the IP or Ethernet
levels. This is achieved by NetDefendOS keeping track of the MAC addresses of the connected
hosts and NetDefendOS allows physical Ethernet networks on either side of the NetDefend
Firewall to act as though they were a single logical IP network. (See Appendix D, The OSI
Framework for an overview of the OSI layer model.)
Two benefits of transparent mode over conventional routing are:
• A user can move from one interface to another in a "plug-n-play" fashion, without changing
their IP address (assuming their IP address is fixed). The user can still obtain the same services
as before (for example HTTP, FTP) without any need to change routes.
• The same network address range can exist on several interfaces.
Note: Transparent and Routing Mode can be combined
Transparent mode and routing mode can operate together on a single NetDefend
Firewall. Switch Routes can be defined alongside standard non-switch routes although
the two types cannot be combined for the same interface. An interface operates in one
mode or the other.
It is also possible to create a hybrid case by applying address translation on otherwise
transparent traffic.
380
Chapter 4: Routing