Skip to main content

How to Use a Firewall Incorrectly? Put it in the Middle of the Network!

By September 7, 2017September 16th, 2020Best Practices, Blog
wrong firewall scrabble tiles

The Function of a Router

Many times companies will try to use a firewall as a basic layer-3 (routing) device in the middle of their network.  While there are some instances when this can provide a useful function, these companies should remember what a typical router or core switch does and what firewalls are used for.  Firewalls are used for separating network at the edge.  Using a firewall as a router means generally using the wrong tool for the job.

Typically, layer-3 devices are there to segment the networks and separate the traffic, keeping workstation traffic away from the voice/phone traffic. And, keeping the iSCSI storage traffic away from end workstation broadcasts. But, their main function is to provide connectivity: when voice traffic needs to connect back to a DHCP server, or workstations need to manage an iSCSI controller.  So, layer-3 devices are there to provide connectivity between separate networks and VLANs.

Why a Firewall is not a Router

Firewalls have two main functions, block and hide.  They block traffic by default and only allow certain traffic (that which has been specifically allowed) to flow across.  The second portion of the firewall is to hide networks on one side to the other.  This is done by Network Address Translations (NAT).  This started out as an easy way to preserve limited IP blocks, but it also hides the internal network topology from the outside.

Now, when you put a firewall in the middle of the network, you are blocking traffic, at least in one direction, and you are limiting visibility to that network.  Almost every time this is done, it causes problems with network device management and troubleshooting.  If you have a firewall between the workstations and the servers, you will have a NAT translation and you will not be able to see the IP address of the workstation.  Therefore, when there is a problem, you will not be able to limit it down to the exact workstation as easily.  Also when traffic needs to initiated in the reverse direction, many times it will be blocked.

Additional Things to Consider

Also, most modern firewalls are layer-7 or application layer firewalls.  They want to look at the traffic payloads and make adjustments on the traffic.  At the edge of the network, this can provide extra security.  In the middle of the network, it can and will stop business critical applications from working.

Can the limitations of a firewall in the middle of the network be overcome? Yes, but it requires more work.  In some firewalls you can turn off the NAT translations.  In others you can setup a 1-1 NAT.  But each of these takes more troubleshooting and testing. Also, you can open TCP and UDP holes going back in the reverse directions.  Once again, it just takes more configuration and work.  You can also use a wrench to hammer in a nail, but using the proper tool for the job makes it much easier.

Jason Howe, PEI

Leave a Reply