Decryption Broker: Layer 3 Security Chain
Focus
Focus

Decryption Broker: Layer 3 Security Chain

Table of Contents
End-of-Life (EoL)

Decryption Broker: Layer 3 Security Chain

In a Layer 3 security chain network, security chain devices use Layer 3 interfaces to connect to the security chain network, and each interface must have an assigned IP address and subnet mask. Security chain devices must be configured with static routes to direct inbound and outbound traffic to the next device in the security chain and back to the firewall.
Depending on the security chain session flow you choose (unidirectional or bidirectional), decrypted inbound and outbound sessions pass through the security chain in the same or opposite directions.
The figure below shows a firewall that is enabled as a decryption broker directing allowed, clear text traffic through a Layer 3 security chain bidirectionally. The firewall is configured with static routes that direct inbound sessions to a trusted, internal zone where clients reside (for example, to employees), and with a default route that directs outbound sessions to an untrusted, external zone (the Internet). For outbound sessions, the firewall uses the Primary Interface dedicated to decryption forwarding to forward inbound sessions to the first security chain device. The security chain devices use static routes to direct traffic to the next inline device; each security chain device’s next hop is the subsequent device’s ingress port IP address. The last security chain device’s next hop is the firewall’s Secondary Interface dedicated to decryption forwarding. (The flow for inbound sessions is exactly the opposite).
Alternatively, the following figure shows the same firewall enabled as a decryption broker directing decrypted traffic through a Layer 3 security chain; however, in this example, the firewall directs all sessions to flow through the security unidirectionally. The firewall uses the Primary Interface dedicated to decryption forwarding to forward both inbound and outbound sessions to the first security chain device. The last security chain device forwards both inbound and outbound sessions back to the firewall.
In both Layer 3 security chain deployments (bidirectional and unidirectional), the firewall re-encrypts the traffic the security chain returns and continues to forward it to its destination. Configure Decryption Broker with One or More Layer 3 Security Chain to get started with either of these deployments.