[164732] in North American Network Operators' Group
Re: which firewall product?
daemon@ATHENA.MIT.EDU (Jimmy Hess)
Tue Jul 30 19:16:12 2013
In-Reply-To: <CAP-guGV66EJebHOhkOuxAo7OcYbSt_Asa_nQSCysBdBQiq2eBw@mail.gmail.com>
Date: Tue, 30 Jul 2013 18:15:49 -0500
From: Jimmy Hess <mysidia@gmail.com>
To: William Herrin <bill@herrin.us>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On 7/30/13, William Herrin <bill@herrin.us> wrote:
> Hi folks,
I don't know about IPIP tunnel inspection; it seems like an odd
requirement to me, unless you mean _preventing_ IPIP tunnels from
being established, in that case a non-appliance solution may be
necessary. Is the IPIP tunnel supposed to land on the firewall; or
to traverse it? I would encourage looking at Checkpoint / Palo
Alto / Stonegate / Sonicwall / some others.
I think LAN "firewall products" that cannot do SSL decryption
and application identification (regardless of TCP port number) have
begun to outlive their usefulness; the ASA pretty much falls in
that category unless you bought lots of expensive addons, and unless
Cisco finally fixed all the nasty bugs that occur if you actually
attempted to use the deep protocol inspection features?
> I'm trying to identify a firewall appliance for one of my customers.
> The wrinkle is: it has to be able to inspect packets inside an IPIP
> tunnel and accept/reject based on IP address, TCP port number and
> standard things like that. On the packet carried *inside* the IPIP
> tunnel packet.
> From what I can tell, the Cisco ASA can't do this.
> --
> William D. Herrin ................ herrin@dirtside.com bill@herrin.us
--
-JH
