Overview

The UTM-1 appliance enables you to connect multiple network segments at the data-link layer, by configuring a bridge. Bridges offer the following advantages:

• Easy network segmentation

  Bridges can be used to compartmentalize an existing network into several security zones, without changing the IP addressing scheme or the routers' configuration.

  Ordinarily, if you need to deploy a firewall within an internal network, you can divide the existing subnet into two networks and configure a new routing scheme. However, in some deployments, the amount of network reconfiguration required prohibits such a solution. Adding a bridge not only allows you to segment your network quickly and easily, but it allows you to choose whether to enable the firewall between network segments.

  If you enable the firewall between bridged network segments, the gateway operates as a regular firewall between network segments, inspecting traffic and dropping or blocking unauthorized or unsafe traffic. In contrast, if you disable the firewall between bridged network segments, all network interfaces assigned to the bridge are connected directly, with no firewall filtering the traffic between them. The network interfaces operate as if they were connected by a hub or switch.

Bridge with Four VLANs

For example, if you assign the LAN and primary WLAN networks to a bridge and disable the bridge's internal firewall, the two networks will act as a single, seamless network, and only traffic from the LAN and primary WLAN networks to other networks (for example, the Internet) will be inspected by the firewall. If you enable the internal firewall, it will enforce security rules and inspect traffic between the LAN and primary WLAN networks.

Bridge Firewalling

• Transparent roaming

  In a routed network, if a host is physically moved from one network area to another, then the host must be configured with a new IP address. However, in a bridged network, there is no need to reconfigure the host, and work can continue with minimal interruption.

The UTM-1 appliance allows you to configure anti-spoofing for bridged network segments. When anti-spoofing is configured for a segment, only IP addresses within a specific IP address range can be sent from that network segment. For example, if you configure anti-spoofing for the “Marketing” network segment, the following things happens:

• If a host with an IP address outside of the allowed IP address range tries to connect from a port or VLAN that belongs to the “Marketing” network segment, the connection will be blocked and logged as “Spoofed IP”.
• If a host with an IP address within the bridge IP address range tries to connect from a port or VLAN that belongs to a network segment other than the “Marketing” segment, the connection will be blocked and logged as “Spoofed IP”.