L2 service need firewall?

deanwebb · October 06, 2015, 06:36:02 PM

Disaster recovery? That's a matter of enough ammunition in your weapon and enough fuel in your generator. All them fancy computers and what-not gonna be wiped out by an EMP.

Unless you buy my EMP-proofing solution for big $$$

fsck · October 07, 2015, 05:05:00 PM

I want to lab this to see how it works and learn it. I think it will be good to see it in lab and understand the problem. The piece I'm wondering about is how to mimic the 1Gbps link. If I simply use the LAN interface on the router whether its on ISR or ASR, and maybe adding some kind of overhead to show it as real world. Not sure how to do that but I will look around. Some people on team think it will work and others are skeptical. I think a real world demonstration type lab be best to show results.

Otanx · October 07, 2015, 06:51:24 PM

If you are familiar with Linux you can bridge two interfaces together, and use tc to generate some latency for the WAN link. I had to look this up for some testing we were going to do that then got shelved. So never got to try it, but it looks easy enough.

http://bencane.com/2012/07/16/tc-adding-simulated-network-latency-to-your-linux-server/

-Otanx

wintermute000 · October 07, 2015, 06:58:26 PM

Just build a wanem box. Normal pc with two Nic cards, the appliance bridges them at a speed and latency and loss you want.

fsck · October 08, 2015, 11:55:42 AM

Thank you both Otanx and wintermute000! These will be very helpful!

fsck · January 14, 2016, 12:35:50 PM

QuoteJust because a link is layer 2 doesn't mean you can't stick routers on it (or better, stick a switch on it the split off VLANS to routers or as straight L2 segments depending on their requirement).

@ wintermute000
I was wondering if you could elaborate on this statement please. I want to learn why sticking a switch is better. I'm thinking it's because this is another layer of security and you add another layer in between. Because you can nest the traffic might be a way of explaining it inside that VLAN, then maybe you would route only the traffic that is needed. Am I correct in that statement?

icecream-guy · January 14, 2016, 01:39:57 PM

Quote from: fsck on January 14, 2016, 12:35:50 PM
QuoteJust because a link is layer 2 doesn't mean you can't stick routers on it (or better, stick a switch on it the split off VLANS to routers or as straight L2 segments depending on their requirement).

@ wintermute000
I was wondering if you could elaborate on this statement please. I want to learn why sticking a switch is better. I'm thinking it's because this is another layer of security and you add another layer in between. Because you can nest the traffic might be a way of explaining it inside that VLAN, then maybe you would route only the traffic that is needed. Am I correct in that statement?

a switch ain't no additional layer of security. more like a layer of insecurity.

fsck · January 14, 2016, 03:12:36 PM

Quote from: ristau5741 on January 14, 2016, 01:39:57 PM
Quote from: fsck on January 14, 2016, 12:35:50 PM
QuoteJust because a link is layer 2 doesn't mean you can't stick routers on it (or better, stick a switch on it the split off VLANS to routers or as straight L2 segments depending on their requirement).

@ wintermute000
I was wondering if you could elaborate on this statement please. I want to learn why sticking a switch is better. I'm thinking it's because this is another layer of security and you add another layer in between. Because you can nest the traffic might be a way of explaining it inside that VLAN, then maybe you would route only the traffic that is needed. Am I correct in that statement?

a switch ain't no additional layer of security. more like a layer of insecurity.

I should not of said security in that sense more like security by segregating the network. I'm just trying to figure out why you would go down that path.

deanwebb · January 14, 2016, 03:23:08 PM

Network segregation is security if and only if there is something to prohibit or regulate traffic between segments. L2 security is useful if you don't want the security devices to be involved in the routing and switching decisions. That would be the case if one wanted high throughput on the line and running the security devices in L3 mode would slow them and the traffic down too much. L2 devices also, by their nature, do not reveal their presence to the traffic being inspected, so they make it more difficult for attackers to defeat security measures on the network.

wintermute000 · January 14, 2016, 03:37:10 PM

I'm just referring to the flexibility of being able to run a trunk (or even q-in-q if you want to take it to the next level), then you can do different things per VLAN.
e.g. have one VLAN routing and another VLAN as pure layer 2.

that1guy15 · January 14, 2016, 03:42:49 PM

Ive had this discussion multiple times with a number of security people.

My last gig had a large 20-30+ site metro-e in each city. None of them used firewalls. No regulations in place that required encryption or security.

IMO it comes down to a business decision. Whats the risk of not securing the traffic? If the business is fine with the risk then fine.

Reggle · January 15, 2016, 02:28:07 AM

Firewall at each site costs money. But so does a spreading worm. However, you can get smart with routing, e.g. only advertise subnets to other sites containing services, not end users. Only advertise the HQ with data center and set the firewall there.
Layer 2 or layer 3 WAN doesn't matter in the discussion I think. It's a trade-off cost versus security versus manageability versus throughput (small firewalls is smal throughput).

deanwebb · January 15, 2016, 07:39:44 AM

Small, old firewall is REALLY small throughput. When the security guy shows up, you better hope he's got new gear, or you're going to have the slow.