Firewall as the Core Part 1

Posted on Edited on In

In the enterprise networking world the firewall has always been tool to allow the engineer to securely provide access to the internet or to segment off a section of the network. It has always been something that has been attached on the side, away from the core network infrastructure. It’s not to say it’s not core infrastructure, it definitely is, but it’s not center of network activity. The mantra has always been, let routers route, switches switch and firewalls firewall. It also been understandable why you would not want something like a firewall handling your BGP peering at your edge, it just doesn’t have the feature set nor the true capability of doing that… Well, at least old firewalls.

Enter the modern networking world where cyber security is quickly becoming the number one priority for enterprise networks. The cyber security threats can not only come from the internet, but even from within the enterprise network itself. A sobering example of this is the 2020 CVE, CVE-2020-10148, where the network monitoring software, Solarwinds Orion, was compromised. Malicious actors were able to gain access into the code base for Solarwinds Orion allowing them to insert highly sophisticated code that would detect what environment it was in, attempt to gather information, and then call home. This compromised software was then downloaded, unknowingly, by Solarwinds Orion customers and deployed in their network. This gave the malicious actors direct and open access to core networking infrastructure and key servers since the Server Solarwinds Orion was deployed on, needed to have access to the entire environment it was intended to monitor.

The Solarwinds attack highlights a key vulnerability in the historical network mantra, once the attack goes beyond or begins after your firewall, it will more or less have complete and open access to everything inside your network, or in other words, complete lateral movement in the network. As network engineers we need to move to secure this lateral movement within the network. This can only effectively be done by promoting the firewall from its sideline duties of firewalling internet access or firewalling small segmentation zones to being the core router in the network. No longer should we be using routers or layer 3 switches as our core routers. All core layer 3 functions should be handled by firewalls, no exception.

Promoting the firewall to your core router presents some challenges, namely:

  1. Firewalls have historically had poor network throughput placing a cap on total throughput thru it
  2. Traditional high availability firewall configurations don’t suite well as the firewall being the core router
  3. It will be difficult to build secure and proper firewall rules since services on the network are most likely not known so engineers will not want to risk disrupting the network due to firewall blocking traffic flows (e.g. putting a permit ip any any on the bottom which defeats the entire purpose of the firewall.)

In my next post I’ll talk about the details associated with these 3 points and how we can overcome them.