The series of IP Network Security from
Beginner to Expert Both conceptual & Practical, has some fundamental topics
we already covered in previous articles, today we will explain below topics
· Interface & Zone Types
· · L2/L3 and Tap
· · Virtual Wire & Tunnel
In our previous posts, the definition
& types of Firewall ZONE had already explained in the perspective of
Network types like LAN(Trust), WAN (Untrust) & DMZ.
Today will elaborate on Zone type mode
in terms of interface & implementation perspective.
InInterfaces type:
- ü Layer 2 (used for layer-2 communication,
should be part of VLAN)
- ü Layer 3 (For layer-3 communication, should be
part of Virtual Router)
- ü Tap (Useful Before integrations deployment of
Firewall)
- ü Virtual wire (Virtual wire purpose is for
smooth integration of Node in existing Network)
- ü Tunnel (carrying VPN traffic, IPsec)
Zone Type:
- ü Layer 2 Zone
- ü Layer 3
- ü Tap
- ü Virtual Wire
- ü Tunnel
Now let’s elaborate one by one in detail
Below steps are the Layer-2 Zone
creation, the same steps are for other types as well only select your required
option.
First Go-to Network -à then click on Zoneà Add-Ã
Give name in our case is (Zone-A) and select Type (L2/L3/Tap/Virtual wire/Tunnel).
- Ø Keep in mind that the interface & Zone type
must be the same and MGT/HA ports cannot assign in any zone.
Layer 2/3 & Tunnel interfaces are
related to the traffic-carrying features of the firewall. Further, Tap &
Virtual wire are a useful part of the device deployment & integration
phase. Let me explain tap & virtual wire with an example
Tap mode:
For example, in the below topology if
there is already a running firewall carrying live traffic & the customer asks
us to migrate this firewall without any outage.
The first thing is we need to analyze
& inspect the existing firewall by implementing tap mode. as tap mode is
using SPAN (switch port analyzer or port mirroring concept.
In the below diagram, we connect the new
firewall with the existing switch & configure port mirroring on a switch to
send one copy toward the new firewall & configure the tap interface &
Zone on the firewall interface connected with the switch and don’t forget the policy
between tap-to-tap zone in this case for in/out traffic. In this way, we will
receive a copy of traffic without disturbance on the live network firewall.
Actually, this is one type of audit of
the existing firewall.
Above is the first pre-integration
step. Now let’s move forward to virtual wire mode to integrate the new
firewall.
Virtual Wire
Mode:
- · Virtual wire is the virtual link between two ports of the firewall, if we configure virtual wire b/w port-1 & port-2 then if any traffic coming on port-1 it will be directly sent to port-2 & vice versa.
- · This is transparent mode & inserted b/w
existing device i-e switch & firewall but with deep inspection ability of
users, contents, applications, etc.
- · The two interfaces of virtual wire don’t require
any Routing & switching for smooth integration of the new firewall, it can block
& allow traffic.
Both Existing
& new firewalls
· After all inspection of live traffics then
just remove & connect the cables, so the existing firewall will be
isolated.
New firewall
Integrated
Above all are only theoretical
discussions, be passionate & Keep an eye on the LAB portion will show
separate LABs on each topic in detail.
Keep Learning, Keep Reading, and
Keep Growing. IT & IP is the future.
Interview
Questions:
· What are the Zone types?
· What is Firewall tap mode?
· What is the virtual wire pair?
· How to migrate Firewall
· Firewall migration steps
· Types of interfaces in Layer 3 Zone
0 Comments