which firewall product?
mysidia at gmail.com
Tue Jul 30 23:15:49 UTC 2013
On 7/30/13, William Herrin <bill at herrin.us> wrote:
> Hi folks,
I don't know about IPIP tunnel inspection; it seems like an odd
requirement to me, unless you mean _preventing_ IPIP tunnels from
being established, in that case a non-appliance solution may be
necessary. Is the IPIP tunnel supposed to land on the firewall; or
to traverse it? I would encourage looking at Checkpoint / Palo
Alto / Stonegate / Sonicwall / some others.
I think LAN "firewall products" that cannot do SSL decryption
and application identification (regardless of TCP port number) have
begun to outlive their usefulness; the ASA pretty much falls in
that category unless you bought lots of expensive addons, and unless
Cisco finally fixed all the nasty bugs that occur if you actually
attempted to use the deep protocol inspection features?
> I'm trying to identify a firewall appliance for one of my customers.
> The wrinkle is: it has to be able to inspect packets inside an IPIP
> tunnel and accept/reject based on IP address, TCP port number and
> standard things like that. On the packet carried *inside* the IPIP
> tunnel packet.
> From what I can tell, the Cisco ASA can't do this.
> William D. Herrin ................ herrin at dirtside.com bill at herrin.us
More information about the NANOG