It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda CloudGen Firewall

Bridging

  • Last updated on

A Layer 2 bridge checks the destination MAC address of each incoming frame. If the MAC address is assigned to the bridge computer, the frame is processed by it as the destination. If the MAC address is not assigned to the bridge computer, the network bridge notes the source address of the frame and the port on which the frame was received and either creates or refreshes an entry in a Layer 2 bridge table. The port is a number that identifies the network adapter and its corresponding LAN segment. Each entry in the Layer 2 bridge table consists of a MAC address, the port number corresponding to the LAN segment on which a frame from the MAC address was received, and a timeout value. Entries in the Layer 2 bridge table persist for 5 minutes before being removed.

Bridging Type Feature Comparison

To help you decide which method to use, the following table compares the features that are available for each bridging method:

Features

Transparent Layer 2 Bridging

Routed Layer 2 Bridging

Layer 3 Bridging

MAC Transparent

Yes Yes  No

Routing-Bridging-Forwarding

No Yes Yes

Local Firewall Traffic (Gateway)

No Yes Yes

Auto Learning of Network Nodes

Yes Yes No

Active Learning of Network Nodes

No Yes No

Next Hop Bridging

Yes Yes No

Broad-Multicast Propagation

Yes Yes Yes

High Availability

Yes Yes Yes

VLAN capable

Yes Yes Yes
IP and ARP Forwarding Yes Yes Yes
Non IP Protocols Forwarding No No No
IPv6 No No No
IPS Yes Yes Yes
Application Control
(Application Detection)
Yes Yes     Yes 
SSL Inspection No Yes - default route required   Yes - default route required
URL Filter Yes - default route required Yes - default route required Yes - default route required
Virus Scanning No Yes - default route required Yes - default route required
ATP No Yes - default route required Yes - default route required
Safe Search No Yes - default route required Yes - default route required
YouTube for Schools No Yes - default route required Yes - default route required
Google Accounts No Yes - default route required Yes - default route required
File Content Filtering
Yes Yes - default route required Yes - default route required
User Agent Filtering Yes Yes Yes
Custom Block Pages No Yes Yes

Bridging on VMware ESXi  

Before configuring a Layer 2 bridge on a virtual Barracuda CloudGen Firewall running on a VMware ESXi hypervisor, you must enable promiscuous mode for all network interfaces and vSwitches that are used by the bridge.

Security Weaknesses and Solutions

Because bridging heavily depends on broadcasts for establishing connectivity, this results in a few weak points that you must carefully consider. Try to implement bridging in a trusted environment. Broadcasts in huge environments also consume a lot of bandwidth. The CloudGen Firewall offers different methods to help prevent the following common attacks.

Preventing IP or ARP Spoofing over Layer 2 Bridges

Network nodes may use the IP addresses of fake ARP responses in order to fake network traffic with arbitrary IP addresses. Because firewall security is enforced on Layer 3, the security policy is bypassed. These issues can be solved by taking the following measures: 

  • Segment Access Control Lists (Bridging Interface ACLs)  Specify which IP addresses are allowed on a segment.
  • Static Bridge ARP Entries  Statically specify IP addresses, MAC addresses, and segments to avoid learning via ARP.
  • MAC-based Access Rules  Define source MAC conditions for network objects.
  • ARP Change Reporting  Specify which types of the IP-MAC-Segment relationship changes must be reported in the access cache and log.
Prevent Destination MAC Spoofing

Another security issue in bridged environments is the possible exploitation of security enforcement on Layer 3 and traffic delivery on Layer 2. You can prevent these issues by enforcing Layer 2 when a Layer 3 session is granted. MAC addresses for a session are fixed when the session is created and remain enforced until the session ends.

In the figure below, a client from LAN 1 tries to force a connection grant to a client in LAN 3. To do so, it sends a packet to the client in LAN 2 using MAC-A as a destination MAC address and 10.0.8.10 as the destination IP address. After the session has been granted through the bridge and communication has been allowed, it sends a second packet exchanging the MAC address for the client in LAN 2 with the MAC address for the client in LAN 3, leaving the IP address the same. If MAC enforcement is configured, the connection with the spoofed MAC address will not be allowed.

br_mac_spoofing.png