nanog mailing list archives
Re: which firewall product?
From: Jimmy Hess <mysidia () gmail com>
Date: Tue, 30 Jul 2013 18:15:49 -0500
On 7/30/13, William Herrin <bill () herrin us> wrote:
Hi folks,
I don't know about IPIP tunnel inspection; it seems like an odd requirement to me, unless you mean _preventing_ IPIP tunnels from being established, in that case a non-appliance solution may be necessary. Is the IPIP tunnel supposed to land on the firewall; or to traverse it? I would encourage looking at Checkpoint / Palo Alto / Stonegate / Sonicwall / some others. I think LAN "firewall products" that cannot do SSL decryption and application identification (regardless of TCP port number) have begun to outlive their usefulness; the ASA pretty much falls in that category unless you bought lots of expensive addons, and unless Cisco finally fixed all the nasty bugs that occur if you actually attempted to use the deep protocol inspection features?
I'm trying to identify a firewall appliance for one of my customers. The wrinkle is: it has to be able to inspect packets inside an IPIP tunnel and accept/reject based on IP address, TCP port number and standard things like that. On the packet carried *inside* the IPIP tunnel packet.
From what I can tell, the Cisco ASA can't do this.
-- William D. Herrin ................ herrin () dirtside com bill () herrin us
-- -JH
Current thread:
- RE: which firewall product?, (continued)
- RE: which firewall product? Charles N Wyble (Jul 30)
- Re: which firewall product? Michael Brown (Jul 30)
- Re: which firewall product? William Herrin (Jul 30)
- Re: which firewall product? Blake Dunlap (Jul 30)
- Re: which firewall product? William Herrin (Jul 30)
- Re: which firewall product? Blake Dunlap (Jul 30)
- RE: which firewall product? Charles N Wyble (Jul 30)
- Re: which firewall product? Kinkaid, Kyle (Jul 30)
- Re: which firewall product? Owen DeLong (Jul 30)
- Re: which firewall product? Christopher Morrow (Jul 31)
- Re: which firewall product? Richard Golodner (Jul 30)