In a Layer 3 security chain network, security chain
devices use Layer 3 interfaces to connect to the security chain
network, and each interface must have an assigned IP address and
subnet mask. Security chain devices must be configured with static
routes to direct inbound and outbound traffic to the next device
in the security chain and back to the firewall.
Depending on the security chain session flow you choose (unidirectional or
bidirectional), decrypted inbound and outbound sessions pass through
the security chain in the same or opposite directions.
The figure below shows a firewall that is enabled as a decryption
broker directing allowed, clear text traffic through a Layer 3 security
chain bidirectionally. The firewall is configured with static routes
that direct inbound sessions to a trusted, internal zone where clients
reside (for example, to employees), and with a default route that
directs outbound sessions to an untrusted, external zone (the Internet).
For outbound sessions, the firewall uses the Primary Interface dedicated
to decryption forwarding to forward inbound sessions to the first security
chain device. The security chain devices use static routes to direct
traffic to the next inline device; each security chain device’s
next hop is the subsequent device’s ingress port IP address. The
last security chain device’s next hop is the firewall’s Secondary
Interface dedicated to decryption forwarding. (The flow for inbound
sessions is exactly the opposite).
Alternatively, the following figure shows the same firewall enabled
as a decryption broker directing decrypted traffic through a Layer
3 security chain; however, in this example, the firewall directs
all sessions to flow through the security unidirectionally. The
firewall uses the Primary Interface dedicated to decryption forwarding
to forward both inbound and outbound sessions to the first security
chain device. The last security chain device forwards both inbound and
outbound sessions back to the firewall.