Check out the new USENIX Web site.

Home About USENIX Events Membership Publications Students
Abstract - Technical Program - NETA 99

Tricks You Can Do if Your Firewall Is a Bridge

Thomas A. Limoncelli, Lucent Technologies, Bell Labs


Firewalls that forward packets like a bridge, rather than as a router, have many operational benefits. By decoupling routing from filtering, the firewall becomes a pure filter, unburdened by routing table or interface configuration. The result is increased flexibility. This paper explores some of the benefits we have found. Most of the benefits stem from the fact that a bridged firewall requires fewer transit subnets. Sometimes transit subnets are completely eliminated. It can be placed between any two network devices and act like a line filter without needing to change the logical routing of the network. It is easy to put one in series with another firewall for testing. Our examples include replacing an old firewall with a new one, moving a firewall from one router to another with zero downtime, firewalling off an individual office or lab, and others. In many cases topology changes are made without service interruptions. The operational procedures become much more simple. The paper also suggests future directions for research in this area.

  • View the full text of this paper in HTML form and PDF form.

  • If you need the latest Adobe Acrobat Reader, you can download it from Adobe's site.

  • To become a USENIX Member, please see our Membership Information.

?Need help? Use our Contacts page.

Last changed: 21 Mar 2002 ml
Technical Program
Conference Index