Showing results for 
Search instead for 
Did you mean: 

Switch versus firewall security - I'm not sold... Thoughts?

Switch versus firewall security - I'm not sold... Thoughts?

New Contributor III
I have a client who recently implemented a managed security platform which places a sensor inline with LAN traffic in order to inspect for threats. The sensors are not able to keep up with all traffic on the LAN and so the suggestion is to move our core routing off of the firewall to the core switch, then capture only north/south traffic from the switch to the firewall for Internet bound traffic.

To me, it's much harder and less secure (although maybe quicker) to implement ACL's on the switch based VR to manage all of the inside VLAN security (guest wireless to internet only, conference rooms to internet only, private wireless to LAN or internet, etc.). I like having application layer filtering between VLAN's, the ability to inspect for threat signatures, etc. I also like being able to look at a common set of rules (same language / platform) to avoid "missing" something when security is split up like this.

My dilemma? I can set up basic ACL's for the trusted networks and keep all of the untrusted networks directly into the firewall, but then I defeat the purpose of the sensor (not really getting a full picture of the network threats). My other option is to add another firewall outside my current one just handle internet/VPN (I'd watch the traffic between the two via the sensor). I think many would just use a router on the outside, but again I'm looking for consistent security/policy management. I'm good with arguments on both sides of that topic.

My question - am I off-base on my concerns over trying to have a switch act as a firewall, even though it's arguably a better/faster "router" in this example? I'll add the first part of the visio I'm working on that led me to these concerns. The biggest issue is the number of items on the left- hand side still connected directly to the firewall and therefore they'd not cross the inspected V90 VLAN (north/south traffic).

This is a relatively small network (about 400 stations in total between 2 sites + DR). We're adding L2 circuits between main sites too, so this played into my desire to route there via the switch. We had some issues with ICMP redirects when having the firewall route devices back through those circuits via the remote IP as a gateway.

Over thinking this? Many of these clients started off smaller with only a single firewall (as opposed to dual with a DMZ and or separate N/S VLAN). As they grow I always consider the benefits of going with dual firewalls, but is the switch a better alternative that I'm just not as comfortable with? I appreciate your thoughts and opinions!



New Contributor III
Thanks for the feedback Erik. I agree and appreciate the perspective. Trying more to determine the true limits of switch-based routing vs. firewall based routing at the core. My sense is that while I can drop known bad traffic with ACL's, I may want application layer inspection still for the stuff we miss (essentially using the firewall as that security team as it's intended). Thanks again!

Contributor II
Hi Eric,

I would use ACLs (or similar) on switches to deny traffic that is obviously not wanted.

I do not think that it helps in practice to have all unsuccessful attacks mixed with honest mistakes seen by a sensor, because there is no need for a human to see the denied traffic, and no need for an IPS to drop what was dropped at the switch already. I do not think it is useful to have an IDS see all attacks from the outside either, especially not from the Internet, unless you have a dedicated security team that is tasked to learn about new attacks, since most attacks, including most of the new ones, will be filtered out by a basic stateful firewall (think of all those botnets scanning the Internet all the time).

Do you really need to understand what threats guests unwittingly bring with them, or does it suffice to isolate them from your internal network and possibly from each other?

I do not have easy solutions for your question, but want to try to provide a different perspective.


New Contributor III
Thanks Tomasz. I'm still feeling like the addition of another firewall might be the simplest solution, as the N/S is pretty easily dealt with using a single sensor versus trying to mirror all of the VLAN's to it as we do in the current state. There's a secondary goal to bypass the firewall on the VoIP subnets, but since they're mostly isolated it might be easy enough to keep them setup differently and minimize the amount of change needed to support the requirements. Thanks again for the thoughtful response!

Valued Contributor II
Hi Eric,

I believe for couple of quarters (years?) application-based filtering might not be possible on switches, until they get enough resources to do DPI on their own.
Thus, if you want per-app filtering in your network, you might stay with firewall, or even maybe inter-area firewalls (like for DMZ). Or buy more those sensors, simply, if security concerns are high.
OTOH, if it is sufficient (yet less aesthetic) to filter out traffic between VLANs or users inside a VLAN based on ports and subnets (because e.g. you know that some app to be blocked uses some known UDP ports), you're good to go with ACLs.
And even with a nice core firewall for app control, such policies (XMC+XOS for high convenience and automation, but less capability compared to ACLs at the moment) are nice to have as then you can limit bad things that could crawl between devices within a single VLAN (block all ports on VLAN, enable just 25, 80, 443 etc; will WannaCry get spread over VLAN? nope; will user's FileZilla with vulnerabilities be used by an attacker for exploitation of the device, network and critical resources then? nope; will it be still possible to kick in via those basic ports? yes, always, so consider some generic exploit blocking instead of signature-based endpoint protection, and good endpoint backup platform as a last resort).

Just brief thought on this, hope this can drive some more discussion on the topic.

Kind regards,