which firewall product?

Jimmy Hess mysidia at gmail.com
Tue Jul 30 23:15:49 UTC 2013

On 7/30/13, William Herrin <bill at herrin.us> wrote:
> Hi folks,

I don't know about IPIP tunnel inspection;  it seems like an odd
requirement to me, unless you mean  _preventing_ IPIP tunnels from
being established,  in that case a non-appliance solution may be
necessary.    Is the IPIP tunnel supposed to land on the firewall; or
to traverse it?      I would encourage looking at  Checkpoint / Palo
Alto / Stonegate / Sonicwall    /  some others.

I think  LAN "firewall products"   that  cannot   do SSL decryption
and  application identification (regardless of TCP port number)   have
begun to outlive their usefulness;    the ASA pretty much falls in
that category unless you bought lots of expensive addons,   and unless
Cisco finally  fixed  all the nasty bugs that occur if you actually
attempted to use  the deep protocol inspection features?

> I'm trying to identify a firewall appliance for one of my customers.
> The wrinkle is: it has to be able to inspect packets inside an IPIP
> tunnel and accept/reject based on IP address, TCP port number and
> standard things like that. On the packet carried *inside* the IPIP
> tunnel packet.

> From what I can tell, the Cisco ASA can't do this.

> --
> William D. Herrin ................ herrin at dirtside.com  bill at herrin.us

More information about the NANOG mailing list