|
Abstract - Technical Program - NETA 99
Tricks You Can Do if Your Firewall Is a Bridge
Thomas A. Limoncelli, Lucent Technologies, Bell Labs
Abstract
Firewalls that forward packets like a bridge, rather than as a router,
have many operational benefits. By decoupling routing from filtering,
the firewall becomes a pure filter, unburdened by routing table or
interface configuration. The result is increased flexibility. This paper
explores some of the benefits we have found. Most of the benefits stem
from the fact that a bridged firewall requires fewer transit subnets.
Sometimes transit subnets are completely eliminated. It can be placed
between any two network devices and act like a line filter without
needing to change the logical routing of the network. It is easy to put
one in series with another firewall for testing. Our examples include
replacing an old firewall with a new one, moving a firewall from one
router to another with zero downtime, firewalling off an individual
office or lab, and others. In many cases topology changes are made
without service interruptions. The operational procedures become much
more simple. The paper also suggests future directions for research in
this area.
- View the full text of this paper in
HTML
form and
PDF form.
- If you need the latest Adobe Acrobat Reader, you can download it
from Adobe's
site.
- To become a USENIX Member, please see our Membership Information.
|
Need help? Use our Contacts page.
Technical Program