Operating mode between interfaces
How interfaces on the firewall interact can be configured according to three different modes:
- Advanced mode (Router)
- Bridge mode (or transparent mode)
- Hybrid mode
In advanced mode: each interface has a different IP address and the network that has been assigned to it is in the same address class. This enables the configuration of translation rules for accessing other zones in the firewall.
With this configuration mode, the Firewall operates like a router between its different interfaces.
This involves certain IP address changes on the routers or servers when you move them to a different network (behind a different interface of the Firewall).
The advantages of this mode are:
- possibility of address translation from one address class to another.
- only traffic passing from one interface to another passes through the firewall (internal network to the internet, for example). This considerably lightens the firewall’s load and returns better response times.
- better distinction between the different elements belonging to each zone (internal, external and DMZ). The distinction is made by the different IP addresses for each zone. This enables a clearer view of the separations and the configuration to be applied on these elements.
Bridge mode or transparent mode
In transparent (bridge) mode: interfaces are part of the address range declared on the bridge.
The transparent or "bridge" mode, allows keeping the same address range between interfaces.
It simulates a filtering bridge: in other words, all the network traffic crosses it.
However, you can subsequently filter traffic across by using interface objects or address ranges according to your needs and therefore protect any part of your network.
There are many advantages to this mode:
- ease of integration of the product since there is no change in the configuration of client workstations (default router, static routes, etc.) and no change in IP address on your network.
- compatibility with IPX (Novell network), Netbios in Netbeui, Appletalk or IPv6.
- no address translation, therefore time-saving as far as firewall packet treatment is concerned.
This mode is therefore recommended between the external zone and the DMZ. It allows keeping a public address range on the firewall’s external zone and on the DMZ’s public servers.
In hybrid mode: some interfaces have the same IP address and others have a distinct address.
The hybrid mode uses a combination of both modes mentioned earlier. This mode may only be used with Stormshield Network products having more than two network interfaces. You may define several interfaces in transparent mode
Internal zone and DMZ (or external zone and DMZ) and certain interfaces in a different address range. As such, you have greater flexibility when integrating the product.
Link aggregation (LACP) – SN510, SN710, SN910, SN2000, SN3000 and SN6000
The LACP (IEEE 802.3ad - Link Aggregation Control Protocol) or Aggregation of links allows improving the appliance’s bandwidth while maintaining a high level of availability (link redundancy).
Several physical ports on an appliance can be grouped together to be considered a single logical interface. Therefore, by aggregating x links, it will be possible to set up a link of x times 1 Gbps or 10 Gbps between two appliances.
This feature is only available on SN510, SN710, SN910, SN2000, SN3000 and SN6000 models.
Ensure that the remote appliances are using LACP.
The choice of a mode is made only where network interface configuration is concerned. The configuration of the firewall is then the same for all modes.
Security-wise, all operating modes are equal. The same things are filtered and attack detection is identical.