Understanding Cisco Secure Firewall Deployment Modes
Introduction
Routed Mode
Transparent Mode
Inline Pair Mode
Inline Pair with tap Interface Mode
Passive Interface Mode
ERSPAN Interface Mode
Introduction:
In Cisco Secure Firewall (formerly Firepower Threat Defense / FTD), deployment modes define how the device is introduced into the network architecture. These modes determine whether the firewall acts as a traditional router, a stealthy network bridge, or a pure "bump-in-the-wire" security sensor.
Cisco Secure Firewall devices can be configured in routed and transparent mode, just like the Cisco ASA devices.
- Routed Mode
- Transparent Mode
Routed Mode:
Traditionally, network firewalls have been deployed to filter traffic passing through them. These firewalls usually examine the upper-layer headers (Layer 3 or above) and the data payload in the packets. The packets are then either allowed or dropped based on the configured access control lists (ACLs).
These firewalls, commonly referred as routed firewalls, segregate protected networks from unprotected ones by acting as an extra hop in the network design. They route packets from one IP subnet to another subnet by using the Layer 3 routing table. In most cases, these firewalls translate addresses to protect the original IP addressing scheme used in the network.
Transparent Mode:
The Layer 3 firewalls require a new network segment to be created when they are inserted into a network, which requires quite a bit of planning, network downtime, and reconfiguration of network devices. To avoid these issues, stealth or transparent firewalls have been developed to provide LAN-based protection.
You can place a transparent firewall between the LAN and the next-hop Layer 3 device (usually a router) without having to readdress the network devices. By using transparent firewalls (also known as Layer 2 firewalls or stealth firewalls), you can optionally inspect Layer 2 traffic and filter unwanted traffic.
Cisco Secure Firewall devices can also operate as Next-Generation Intrusion Prevention (NGIPS) devices on different interfaces. We called it as IPS-only mode. Typically, you deploy IPS-only interfaces if you have a separate firewall protecting these interfaces and do not want the overhead of firewall functions.
The Cisco Secure Firewall interface operating in IPS-only mode can be configured as:
- Inline Pair Mode
- Inline pair with tap Interface Mode
- Passive Interface Mode
- ERSPAN Interface Mode
Inline Pair Mode:
Inline mode is used for Intrusion Detection and prevention. In inline mode, the Cisco Secure Firewall (Formerly known as FTD) operating as inline mode (IPS mode) is physically inserted into the path, so all traffic is forwarded through the Firepower IPS device. For example, we can insert the firepower physically between the Data Center and the Enterprise Core, or between the Enterprise Core and the WAN Edge.
Two of the interfaces of the device are used in an inline pair for traffic to enter and exit the device after being inspected. Based on the configured policies, traffic can be dropped, allowed, or reset.
Difference between Inline mode versus Transparent mode
In inline mode, there can be added only two interfaces in each inline pair. What is received in each interface, will be forwarded to other interface after inspection, without MAC switching or IP routing. It behaves like a wire with an inspection module in between. Inline mode can be used when we are using a Firepower as an IPS-only device in which most firewall services are not working.
On the other hand, Transparent mode is used as a mode when we use Firepower as a firewall service, which can also be used as an IPS device at the same time.
Inline Pair with tap Interface Mode:
You can also configure an inline pair with a “tap,” where you have two physical interfaces internally bridged. A few firewall engine checks are applied along with full Snort engine checks to a copy of the actual traffic.
As soon as packet enters the first interface of the inline pair, The firewall hardware/software immediately makes a copy of the packet. The original packet is instantly forwarded out the second interface and continues on its way to its destination. It does not wait for inspection.
The copied packet is sent to the firewall's inspection engines (Snort, Malware, URL filtering).The firewall analyzes the copied packet against your configured policies. If it detects a threat, it generates an intrusion event, log, or alert. However, because the original packet has already left the firewall, it cannot drop or block the connection.
Passive Interface Mode:
Passive Mode (Monitoring mode) places the firewall completely out-of-band. Instead of traffic flowing through the firewall, the firewall sits on the sidelines and receives a mirrored copy of the network traffic. It is usually connected to a switch’s span port or a mirrored port.
A core switch is configured to mirror all traffic traversing specific VLANs or ports and send that mirrored copy to a designated destination port. The copied traffic enters the Cisco Secure Firewall interface functioning as a "Passive" interface. A passive interface strictly limited to receives traffic, The firewall runs the copied traffic through its Snort inspection engines, malware analysis, and policies. If a malicious payload is detected, it logs the event and generates an alert.
ERSPAN Interface Mode:
In a Cisco Secure Firewall deployment, ERSPAN (Encapsulated Remote Switched Port Analyzer) mode is an advanced variation of Passive Mode.
While standard Passive mode requires the firewall to be physically close to the monitored switch (connected via a local SPAN cable), ERSPAN allows the firewall to monitor traffic from switches located anywhere in your enterprise, even across Layer 3 boundaries, routers, or WAN links.
When you are deploying Cisco Secure Firewall as NGIPS (IPS-only), only inline pair mode performs both Intrusion Detection and Prevention and Other modes (Inline pair with tap, passive interface and ERSPAN interface) perfrom only Intrusion Detection.
Thank you..!