which firewall product?
Hi folks, I'm trying to identify a firewall appliance for one of my customers. The wrinkle is: it has to be able to inspect packets inside an IPIP tunnel and accept/reject based on IP address, TCP port number and standard things like that. On the packet carried *inside* the IPIP tunnel packet.
From what I can tell, the Cisco ASA can't do this.
Linux iptables can (with the u32 match module) but the customer wants an appliance, not a server. What appliances do you know of that can do this? Is there a different Cisco box? A Juniper firewall? Anything else? Thanks in advance, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Look into pfsense. It's rock solid and bad based, and can be purchased as an appliance. (both real and vm) Sent from my Mobile Device. -------- Original message -------- From: William Herrin <bill@herrin.us> Date: 07/30/2013 1:02 PM (GMT-08:00) To: nanog@nanog.org Subject: which firewall product? Hi folks, I'm trying to identify a firewall appliance for one of my customers. The wrinkle is: it has to be able to inspect packets inside an IPIP tunnel and accept/reject based on IP address, TCP port number and standard things like that. On the packet carried *inside* the IPIP tunnel packet.
From what I can tell, the Cisco ASA can't do this.
Linux iptables can (with the u32 match module) but the customer wants an appliance, not a server. What appliances do you know of that can do this? Is there a different Cisco box? A Juniper firewall? Anything else? Thanks in advance, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Not sure how bsd handles ipip connections. If it breaks them out as a dedicated interface (like it does for openvpn connections) , then rules can be applied and pfsense would be quite useful. The UI is very simple. Warren Bailey <wbailey@satelliteintelligencegroup.com> wrote:
-- Sent from my Android device with K-9 Mail. Please excuse my brevity.
In the pfSense UI, you create the physical interface as a GRE tunnel then assign it to a logical interface against which you can apply the firewall rules: The screenshot is a GIF IPv6 he.net tunnel (this is 2.1RC0) but it works the same way on 2.0.1. Works great! M. On 13-07-30 04:10 PM, Charles N Wyble wrote:
Not sure how bsd handles ipip connections. If it breaks them out as a dedicated interface (like it does for openvpn connections) , then rules can be applied and pfsense would be quite useful. The UI is very simple.
-- Michael Brown | The true sysadmin does not adjust his behaviour Systems Administrator | to fit the machine. He adjusts the machine michael@supermathie.net | until it behaves properly. With a hammer, | if necessary. - Brian
On Tue, Jul 30, 2013 at 4:19 PM, Michael Brown <michael@supermathie.net> wrote:
In the pfSense UI, you create the physical interface as a GRE tunnel then assign it to a logical interface against which you can apply the firewall rules:
Thanks all. To be clear: I'm dealing with IPIP packets, not GRE packets. Linux LVS emits IPIP encapsulated packets when the target server is non-local. I have no option to emit GRE or another kind of tunnel packet. Also, I'd prefer not to terminate the IPIP tunnel on the firewall. I can, but I'd prefer not to. What I want to do is look inside at the packet encapsulated by IPIP. Even if I have to hand-crank the rules in terms of byte X inside the packet should be value Y. Thanks again, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Well, I guess my first question is: Is this a design you are stuck with for some reason or alternately, is there a good reason for it, and I need to be educated as to real world design? It seems rather odd to put a firewall boundry between a LB and its associated cluster as opposed to in front of the LB. I've looked into something like this before for unrelated issues, and never really was very happy with the results. -Blake On Tue, Jul 30, 2013 at 3:38 PM, William Herrin <bill@herrin.us> wrote:
On Tue, Jul 30, 2013 at 5:36 PM, Blake Dunlap <ikiris@gmail.com> wrote:
Howdy, Paperwork. The customer owns 3 servers in a system of a consisting of a hundred or so. He wants his security people to accredit it. They won't accredit individual servers, so his options were: duplicate the full system just for him (very expensive) or create a security boundary where he can say, "This is my enclave. Accredit my enclave." Naturally his security people decide that they don't want the firewalls to be additional servers running Linux. That would make it far too easy to secure his system. I don't yet know if they'd accept an appliance running Linux underneath. :/ -Bill -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
Understood. I expected as much but thought I'd ask. Most of my suggestions would require more knowledge of the layout to be filtered out. I really don't know what you'd find that would do what you want in this case, based on the requirements stated previously. Sorry =/ I'd look more to finding a way to make it a truly isolated unit that they could audit personally, instead of a distributed zone with boundaries in the middle. -Blake On Tue, Jul 30, 2013 at 5:39 PM, William Herrin <bill@herrin.us> wrote:
Hi Bill, I found nDPI (http://www.ntop.org/products/ndpi/) lists IP in IP as a supported protocol. That doesn't fit your requirement that it be an appliance but maybe it gets you going in the right direction. Cheers, Kyle On Tue, Jul 30, 2013 at 1:38 PM, William Herrin <bill@herrin.us> wrote:
On Jul 30, 2013, at 13:10 , Charles N Wyble <charles-lists@knownelement.com> wrote:
Not sure how bsd handles ipip connections. If it breaks them out as a dedicated interface (like it does for openvpn connections) , then rules can be applied and pfsense would be quite useful. The UI is very simple.
That would only work if the firewall were terminating the tunnel instead of passing the tunneled traffic through still inside the tunnel. I believe Bill is looking for DPI on forwarded traffic and not to decapsulate the traffic prior to inspection. Owen
On 7/30/13, William Herrin <bill@herrin.us> wrote:
Hi folks,
I don't know about IPIP tunnel inspection; it seems like an odd requirement to me, unless you mean _preventing_ IPIP tunnels from being established, in that case a non-appliance solution may be necessary. Is the IPIP tunnel supposed to land on the firewall; or to traverse it? I would encourage looking at Checkpoint / Palo Alto / Stonegate / Sonicwall / some others. I think LAN "firewall products" that cannot do SSL decryption and application identification (regardless of TCP port number) have begun to outlive their usefulness; the ASA pretty much falls in that category unless you bought lots of expensive addons, and unless Cisco finally fixed all the nasty bugs that occur if you actually attempted to use the deep protocol inspection features?
From what I can tell, the Cisco ASA can't do this.
On Tue, 2013-07-30 at 18:15 -0500, Jimmy Hess wrote:
I would encourage looking at Checkpoint / Palo Alto / Stonegate / Sonicwall / some others.
If this were me, I would give Stonegate a call and explain what I wanted to have happen. They are knowledgeable and kind folks. I can't speculate about the IPIP tunnels, but they will be able to give you an answer. I have used their products and found them to be very good. Then again, this is just me. Good luck solving your problem. Richard
If the tunnel is to be terminated on this firewall device I would say look into a Mikrotik box. Alternatively you could make Cisco's IOS firewall / zone based firewall do this. So look into an ISR? Sent from my iPad On Jul 30, 2013, at 3:00 PM, William Herrin <bill@herrin.us> wrote:
I'm pretty sure you can do this with any modern firewall... An ASA5505 is always a good bet. You'd just have to route the IPIP packets to a hairpin interface on the firewall, then create a policy that handles packets coming inbound from the hairpin. Policies for handling traffic with that as the source interface would be able to filter based on layer-3 info as normal. The trick is, as mentioned, to route the de-encapsulated traffic back into the firewall. A quick googling shows a related example of this for the ASA here: http://nat0.net/cisco-asa-hairpinning/ *Jason Pack* Network Security Engineer - SevOne 4550 New Linden Hill Rd, Wilmington, DE, 19808 | p: 302-319-5400 | m: 302-464-0253 | e: jpack@sevone.com | w: www.SevOne.com On Mon, Aug 5, 2013 at 5:45 AM, Kenny Kant <akennykant@gmail.com> wrote:
On Mon, Aug 5, 2013 at 8:48 AM, Jason Pack <jpack@sevone.com> wrote:
Hi Jason, Hairpinning. So, set a router in there with a policy set on the inbound ipip tunnel to forward all traffic out an ethernet to the ASA. Then once I get it back on another ethernet from the ASA, use another policy route to push it all to an outbound tunnel interface. I hadn't considered that. Yikes, I'm not sure I want to. :) Thanks, Bill Herrin -- William D. Herrin ................ herrin@dirtside.com bill@herrin.us 3005 Crane Dr. ...................... Web: <http://bill.herrin.us/> Falls Church, VA 22042-3004
participants (12)
-
Blake Dunlap
-
Charles N Wyble
-
Christopher Morrow
-
Jason Pack
-
Jimmy Hess
-
Kenny Kant
-
Kinkaid, Kyle
-
Michael Brown
-
Owen DeLong
-
Richard Golodner
-
Warren Bailey
-
William Herrin