Enabling Transparent Mode; Transparent Mode Example Scenarios; Transparent Mode Scenario 1 - D-Link NetDefend DFL-210 User Manual

Network security firewall ver. 1.05
Hide thumbs Also See for NetDefend DFL-210:
Table of Contents

Advertisement

4.5.4. Enabling Transparent Mode

When beginning communication, a host will locate the target host's physical address by broadcast-
ing an ARP request. This request is intercepted by NetDefendOS and it sets up an internal ARP
Transaction State entry and broadcasts the ARP request to all the other switch-route interfaces ex-
cept the interface the ARP request was received on. If NetDefendOS receives an ARP reply from
the destination within a configurable timeout period, it will relay the reply back to the sender of the
request, using the information previously stored in the ARP Transaction State entry.
During the ARP transaction, NetDefendOS learns the source address information for both ends from
the request and reply. NetDefendOS maintains two tables to store this information: the Content Ad-
dressable Memory (CAM) and Layer 3 Cache. The CAM table tracks the MAC addresses available
on a given interface and the Layer 3 cache maps an IP address to MAC address and interface. As the
Layer 3 Cache is only used for IP traffic, Layer 3 Cache entries are stored as single host entries in
the routing table.
For each IP packet that passes through the firewall, a route lookup for the destination is done. If the
route of the packet matches a Switch Route or a Layer 3 Cache entry in the routing table, NetDe-
fendOS knows that it should handle this packet in a transparent manner. If a destination interface
and MAC address is available in the route, NetDefendOS has the necessary information to forward
the packet to the destination. If the route was a Switch Route, no specific information about the des-
tination is available and the firewall will have to discover where the destination is located in the net-
work. Discovery is done by NetDefendOS sending out ARP as well as ICMP (ping) requests, acting
as the initiating sender of the original IP packet for the destination on the interfaces specified in the
Switch Route. If an ARP reply is received, NetDefendOS will update the CAM table and Layer 3
Cache and forward the packet to the destination.
If the CAM table or the Layer 3 Cache is full, the tables are partially flushed automatically. Using
the discovery mechanism of sending ARP and ICMP requests, NetDefendOS will rediscover destin-
ations that may have been flushed.
4.5.4. Enabling Transparent Mode
Two steps are normally required to have NetDefendOS operate in Transparent Mode:
1.
If desired, create a group of the interfaces that are to be transparent. Interfaces in a group can
be marked as Security transport equivalent if hosts are to move freely between them.
2.
Create Switch Routes and if applicable use the interface group created earlier. For the Net-
work parameter, specify the range of IP addresses that will be transparent between the inter-
faces. When the entire firewall is working in Transparent Mode this is range is normally
0.0.0.0/0.

4.5.5. Transparent Mode example scenarios

Scenario 1
The firewall in Transparent Mode is placed between an Internet access router and the internal net-
work. The router is used to share the Internet connection with a single public IP address. The intern-
al NAT:ed network behind the firewall is in the 10.0.0.0/24 address space. Clients on the internal
network are allowed to access the Internet via the HTTP protocol.
Figure 4.4. Transparent mode scenario 1
89
Chapter 4. Routing

Advertisement

Table of Contents
loading

Table of Contents