Network integration

 
This article will explains how to integrate Airlock into the network. It pays attention on the most frequent network problems and will illustrate the security and usability of different integrations.

Airlock provides several ways how it can be integrated into the network. Thereby it will easily fit into every existing network environment. You can choose between a single homed (one NIC), a dual homed (two NICs) or a triple homed (three NICs) installation. In any case you need at least two IP addresses which can be in the same subnet or not.
For a better understanding, all three scenarios are exactly explained on different network diagrams. The red numbers in the text are always related to the numbers in the network diagram. The IP addresses on the images are just examples, for a better understanding of the layer3 architecture.From the view of Airlock there is always an external, a back-end and a management network area. The Internet is usually located on the external network area. Generally you don’t know with what IP addresses clients will connect from there. To be able to route traffic back to those unknown clients, the default-router (5) on Airlock has to be on the external network interface.
In a single or dual homed installation the IP address of the management and the back-end interface can be the same. In both cases also the physically network interface will be the same.
It’s strongly recommended to have a network firewall in front of the external Interface. Although Airlock uses a portfilter on any interface, for performance reasons a dedicated firewall is an appropriate solution.

Single homed installation

The single homed Airlock is ideal for a quick and easy installation within a test environment. If you are not able to split your network in several subnets, you may also choose a single homed installation for production environments. In a single homed installation, all traffic will enter Airlock on one network interface, pass through the security zones and finally exit on the same interface. Untrusted, management and back-end connections will all make use of the same NIC.
So, all you need to establish a network connection with Airlock is one NIC and two free IP addresses. In most cases it’s enough to add just a default router to Airlock.
Due to the fact that it’s not necessary to create several host- or network routes for back-end-, NTP-, Syslog-, DNS Servers or management clients, a single homed setup is probably the easiest way to integrate Airlock into an existing network environment.
From a security point of view, in a properly configured network, the risk increase of a possible attack in a single homed is insignificant.
If you are planning to setup a single homed installation, take care that only management clients are able to connect to the management IP address of Airlock. If the traffic from Airlock to the backend servers passes through an untrusted network, you should configure the mapping on the Airlock Configuration Center to use an SSL connection.



If you setup a single homed installation and the back-end- and/or management IP address is not in the same subnet as one on the external interface, you may need to care about the routing for IP addresses which are not in the same subnet as the IP on the back-end or management Interface but refer to them.

Dual homed installation

On a dual homed installation the back-end and the management network interface will be the same. Usually they will also share the IP address assigned to this interface.
When you setup a dual homed installation, you might have to care about the routing to NTP-, Syslog-, Mail-, back-end servers and management clients, if they will not use IP addresses in the same subnet as the back-end or/and management interface. On the diagram this traffic will be routed through a firewall.
Having a firewall on the back-end/management interface is optional. The primary advantage of having a firewall in front of the back-end/management interface is to control who will be able to manage Airlock. This can be important if you have unprotected servers on this area, so you can prevent a potential attack from there to the Airlock management console.
Because the strict traffic flow from one NIC through all security zones of Airlock to another NIC and not having untrusted and trusted traffic on the same NIC, the security of a dual homed installation is higher compared to a single homed installation.

Triple homed installation

On a triple homed Airlock, configuration changes are only possible through the management interface. For a triple homed installation you need at least three IP addresses and a server with at least three NICs.
The IP address on the back-end and the one on the management interface has to be on different subnets. Its possible to have one of them in the same subnet as the external IP address.
A triple homed Airlock sends traffic to Syslog-, Mail- and NTP servers over the management interface. If they are located in a subnet other than the one of the interface, you need to create host- or network based routes. On the image this route is realized over a firewall. The function of this firewall is basically to control traffic to the management network.
Since managing Airlock is not possible through the back-end interface, the firewall in this network is optional. A reason to have it there could be if you have unprotected servers on the back-end network and need to protect Airlock form any kind of potential network attacks on the back-end interface.
A triple homed installation offers the highest level of security.

If the same IP address is accessing Airlock on the external and on the back-end and/or management interface, Airlock is unable to determinate the correct back routing. This can be the case, if you use the same client for managing Airlock and testing the backend-application through Airlock.
This problem can appear on single-, dual- and triple homed installations.
Fortunately most connections from Intranet to Internet are using Source NAT or pass a forward proxy. Therefore on the external interface of Airlock only the NAT IP or the IP of the forward proxy will arrive, while on the back-end or management interface the real IP of the client will arrive.

Failover

If you setup a failover cluster, you need a “Private failover IP address“ (PIP) and a „Mirror failover IP address“ (MIP). This addresses are assigned to the external interface and only used for the clustertalk. Both have to be in the same subnet. It’s recommended to use addresses which are not routed.

Re-IP

In case you do a misconfiguration and cut the connection to the management interface, you can use “Re-IP” from the console menu of Airlock to set the IP and routing for the management interface. Doing so, you can also change the management interface.
To use “Re-IP”, logon to the Airlock console as user “menu”. Use the same password as for “admin”. Select “Expert Settings” and choose “Set network basics for the internal network interface (re-ip)”.
The settings done by "Re-IP" are not persistant. You have to fix them immediately in the Configuration Center. Else they will be lost if you reboot Airlock. "Re-IP" really only allows you to reach the Web GUI.