Transparent mode, Overview – Amer Networks E5Web GUI User Manual

4.8. Transparent Mode

4.8.1. Overview

Transparent Mode Usage

The cOS Core Transparent Mode feature allows a Clavister Security Gateway to be placed at a
point in a network without any reconfiguration of the network and without hosts being aware of
its presence. All cOS Core features can then be used to monitor and manage traffic flowing
through that point. cOS Core can allow or deny access to different types of services (for example
HTTP) and in specified directions. As long as users are accessing the services permitted, they will
not be aware of the Clavister Security Gateway's presence.

Network security and control can therefore be significantly enhanced with deployment of a
Clavister Security Gateway operating in transparent mode but while disturbance to existing users
and hosts is minimized.

Switch Routes

Transparent mode is enabled by specifying a Switch Route instead of a standard Route in routing
tables. The switch route usually specifies that the network all-nets is found on a specific interface.
cOS Core then uses ARP message exchanges over the connected Ethernet network to identify
and keep track of which host IP addresses are located on that interface (this is explained further
below). There should not be a normal non-switch route for that same interface.

In certain, less usual circumstances, switch routes can have a network range specified instead of
all-nets. This is usually when a network is split between two interfaces but the administrator does
not know exactly which users are on which interface.

Usage Scenarios

Two examples of transparent mode usage are:

•

Implementing Security Between Users

In a corporate environment, there may be a need to protect the computing resources of
different departments from one another. The finance department might require access to
only a restricted set of services (HTTP for example) on the sales department's servers whilst
the sales department might require access to a similarly restricted set of applications on the
finance department's hosts. By deploying a single Clavister Security Gateway between the
two department's physical networks, transparent but controlled access can be achieved.

•

Controlling Internet Access

An organization allows traffic between the external Internet and a range of public IPv4
addresses on an internal network. Transparent mode can control what kind of service is
permitted to these IP addresses and in what direction. For instance the only services
permitted in such a situation may be HTTP access out to the Internet. This usage is dealt with
in greater depth below in Section 4.8.2, “Enabling Internet Access”.

Comparison with Routing Mode

The Clavister Security Gateway can be regarded as operating in either of two modes:

Chapter 4: Routing

340