| certifications | security - Team Nuggets
9 Network Interface Types that Every Network Security Engineer Should Know
When configuring firewalls it's crucial to configure network interfaces where you can filter inbound and outbound traffic. A network interface is a point of interaction between a device and a private or public network.
The network interface can be physical or logical, whereas the physical interface can be a network interface card (NIC) and sends and receives traffic at different transmission rates. A logical interface can be a virtual local area network (VLAN) interface, tunnel interface, and loopback interface but set up after the physical interface.
In this post, we'll discuss nine network interfaces that are covered in Section 1.3 of PCNSE Blueprint. These interfaces can be configured on the Palo Alto Firewall to help network security engineers to secure their networks.
Types of Interfaces
Palo Alto Networks firewalls support nine different network interface types such as Layer 2, Layer 3, Virtual Wire (vWire), TAP, vWire sub-interface, tunnel, aggregate, loopback, and decrypt mirror interfaces, and configuration of these interfaces depend on the functional requirements of the infrastructure. We'll briefly discuss here the functionality of each interface.
Layer 2 Interface
Palo Alto firewalls can switch between two or more networks through VLAN in a single broadcast domain. Devices are connected to a Layer 2 segment and frames are forwarded to the appropriate port using the MAC address identified in the frame. A Layer 2 interface is configured when switching is required in the network.
Layer 2 interfaces can be configured as:
- Without VLAN where hosts are geographically close enough to each other
- With VLAN to keep policies and traffic separate for different departments and divide a layer 2 segment into different broadcast domains
- Manage Per-VLAN Spanning Tree where firewall rewrites the inbound Port VLAN ID in a Cisco per-VLAN spanning tree and allows Palo Alto firewall to correctly tag Cisco PVST+ frames in VLANs
Layer 3 Interface
Palo Alto routes traffic among multiple ports using IP addresses. With a Palo Alto firewall, a virtual router must be configured before configuring a Layer 3 interface.
Layer 3 interface requires more network planning and configurations than other network interfaces of the firewall. At the Layer 3 interface, it is configured with IPv4/IPv6, zone name, and the attached virtual router, and the Palo Alto firewall will examine and control traffic and leverage the following connectivity requirements:
- Integration of NetFlow
- MTU and MSS adjustment
- Assignment of manual MAC address
- Neighbor Discovery for IPv6 and link negotiation settings
- LLDP enablement and dynamic DNS support
Configuring a virtual wire or vWire interface, two interfaces are bounded together transparently on a network segment and referred to a bump in a wire where no MAC and IP address are assigned to the vWire interface. It allows or blocks the traffic based on VLAN tags and supports several features such as QoS, zone protection, security policy rules, active/active and active/passive HA, DoS protection, NAT, etc.
It simplifies the installation and configuration process of the firewall into existing network topology without redesigning the network, assigning MAC and IP addresses to the network interfaces. Each vWire interface is directly connected to Layer 2 and Layer 3 interfaces and receives frames and packets without network addresses.
A network tap provides a way of accessing data that flows across a computer network and allows network security engineers to monitor network traffic using a switch SPAN or mirror port. The mirror port eagles the copying of one-way traffic from ports to the TAP interface to analyze any threat in the network.
It also allows the Palo Alto firewall to detect network threats and take preventive measures against them. When the firewall is deployed in a TAP mode, it detects the threats, however, traffic doesn’t run through the firewall.
A tunnel interface is a logical interface that is used to send/receive traffic between two endpoints in a secure or encrypted way where each end, a proxy ID is configured to form an IPSec tunnel and said tunnel interface should be a part of a security zone to apply security policies, and assigned to a virtual router and ensure that the physical interface and the tunnel interface are assigned to the same virtual router to ensure that the firewall is using an appropriate tunnel.
A Layer 3 interface that is attached to the tunnel interface normally belongs to an external zone. A separate zone can be created for a tunnel interface for better security and visibility. If a separate zone such as a VPN zone is created for a tunnel interface, a network security engineer will be required to create security policies for allowing traffic between the trust zone and a VPN zone.
A tunnel interface can be created without an IP address and it is only required if you enable tunnel monitoring or dynamic routing protocol to route traffic across the tunnel, and the IP address is served as a next-hop address.
vWire sub-interfaces are used to separate network traffic into network zones, and when the network traffic is managed from multiple networks, vWire sub-interfaces offer more flexibility to apply security policies. vWire sub-interfaces classify network traffic into different network zones with the help of VLAN tags.
An aggregate interface is a Palo Alto firewall interface that is created by combining multiple ethernet interfaces to form a single virtual interface. It uses IEEE 802.1AX link aggregation to connect to another network device or a firewall. An aggregate interface increases the bandwidth, provides redundancy, and perform load balancing while combining the ethernet interfaces
The automatic failure detection of the network interface is done by default at the physical layer between directly connected peers. However, if LACP is enabled, the automatic failure will be detected at both the data link layer and physical layer whether the peers are directly connected or not. Palo Alto firewalls can add up to eight aggregate groups where each aggregate group will have eight interfaces.
The loopback interface is a virtual interface that is used on Layer 3 interfaces to connect a virtual router in the Palo Alto firewall and is also used for many purposes. You can configure a loopback interface with an IP address and a security zone in the same subnet as one of the Layer 3 interfaces of the firewall to host different services such as captive portal, management profile, and GlobalProtect on a different IP address.
Decrypt Mirror Interface
The decrypt mirror interface is a special configuration that creates a copy of decrypted traffic from a Palo Alto firewall and sends it to any installed traffic collection tool where raw packets are captured for analysis and archiving. These captured packets can be further analyzed for Data Leakage Prevention (DLP).
The copy of decrypted traffic is automatically sent to a specific interface using the decryption mirror feature to any configured external DLP product.
A network interface is one of the important components of any firewall that provides interaction between a device and a network. It can be a physical or logical interface where the physical interface can be a NIC and sends and receives traffic at different transmission rates, and a logical interface can be a virtual, tunnel, and loopback interface but set up after the physical interface.
Palo Alto firewalls support nine different network interface types, where every interface has a different configuration and functionality that depends on the functional requirements of the infrastructure. Knowing how these interfaces work is a must for network security engineers tasked with keeping networks safe.