Re: which firewall product?

[William Herrin]

On Mon, Aug 5, 2013 at 8:48 AM, Jason Pack  wrote:
> I'm pretty sure you can do this with any modern firewall... An ASA5505 is
> always a good bet.
>
> You'd just have to route the IPIP packets to a hairpin interface on the
> firewall, then create a policy that handles packets coming inbound from the
> hairpin.  Policies for handling traffic with that as the source interface
> would be able to filter based on layer-3 info as normal.

Hi Jason,

Hairpinning. So, set a router in there with a policy set on the
inbound ipip tunnel to forward all traffic out an ethernet to the ASA.
Then once I get it back on another ethernet from the ASA, use another
policy route to push it all to an outbound tunnel interface.

I hadn't considered that. Yikes, I'm not sure I want to. :)

Thanks,
Bill Herrin



--
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: which firewall product?

[Jason Pack]

I'm pretty sure you can do this with any modern firewall... An ASA5505 is
always a good bet.

You'd just have to route the IPIP packets to a hairpin interface on the
firewall, then create a policy that handles packets coming inbound from the
hairpin.  Policies for handling traffic with that as the source interface
would be able to filter based on layer-3 info as normal.


The trick is, as mentioned, to route the de-encapsulated traffic back into
the firewall.  A quick googling shows a related example of this for the ASA
here: http://nat0.net/cisco-asa-hairpinning/

   *Jason Pack*
Network Security Engineer - SevOne
 4550 New Linden Hill Rd, Wilmington, DE, 19808
 | p: 302-319-5400 | m: 302-464-0253 |
e: jp...@sevone.com | w: www.SevOne.com


On Mon, Aug 5, 2013 at 5:45 AM, Kenny Kant  wrote:

> If the tunnel is to be terminated on this firewall device I would say look
> into a Mikrotik box.  Alternatively you could make Cisco's IOS firewall /
> zone based firewall do this.  So look into an ISR?
>
>
> Sent from my iPad
>
> On Jul 30, 2013, at 3:00 PM, William Herrin  wrote:
>
> > Hi folks,
> >
> > I'm trying to identify a firewall appliance for one of my customers.
> > The wrinkle is: it has to be able to inspect packets inside an IPIP
> > tunnel and accept/reject based on IP address, TCP port number and
> > standard things like that. On the packet carried *inside* the IPIP
> > tunnel packet.
> >
> >
> > From what I can tell, the Cisco ASA can't do this.
> >
> > Linux iptables can (with the u32 match module) but the customer wants
> > an appliance, not a server.
> >
> > What appliances do you know of that can do this? Is there a different
> > Cisco box? A Juniper firewall? Anything else?
> >
> > Thanks in advance,
> > Bill Herrin
> >
> >
> > --
> > William D. Herrin  her...@dirtside.com  b...@herrin.us
> > 3005 Crane Dr. .. Web: 
> > Falls Church, VA 22042-3004
> >
>
>

Re: which firewall product?

[Kenny Kant]

If the tunnel is to be terminated on this firewall device I would say look into 
a Mikrotik box.  Alternatively you could make Cisco's IOS firewall / zone based 
firewall do this.  So look into an ISR?


Sent from my iPad

On Jul 30, 2013, at 3:00 PM, William Herrin  wrote:

> Hi folks,
> 
> I'm trying to identify a firewall appliance for one of my customers.
> The wrinkle is: it has to be able to inspect packets inside an IPIP
> tunnel and accept/reject based on IP address, TCP port number and
> standard things like that. On the packet carried *inside* the IPIP
> tunnel packet.
> 
> 
> From what I can tell, the Cisco ASA can't do this.
> 
> Linux iptables can (with the u32 match module) but the customer wants
> an appliance, not a server.
> 
> What appliances do you know of that can do this? Is there a different
> Cisco box? A Juniper firewall? Anything else?
> 
> Thanks in advance,
> Bill Herrin
> 
> 
> -- 
> William D. Herrin  her...@dirtside.com  b...@herrin.us
> 3005 Crane Dr. .. Web: 
> Falls Church, VA 22042-3004
> 

Re: which firewall product?

[Christopher Morrow]

On Tue, Jul 30, 2013 at 6:57 PM, Owen DeLong  wrote:

> I believe Bill is looking for DPI on forwarded traffic and not to decapsulate 
> the traffic prior to inspection.

oh! dpi? just use sandvine? comcast says that the work well...

Re: which firewall product?

[Blake Dunlap]

Understood. I expected as much but thought I'd ask. Most of my suggestions
would require more knowledge of the layout to be filtered out.

I really don't know what you'd find that would do what you want in this
case, based on the requirements stated previously. Sorry =/

I'd look more to finding a way to make it a truly isolated unit that they
could audit personally, instead of a distributed zone with boundaries in
the middle.

-Blake


On Tue, Jul 30, 2013 at 5:39 PM, William Herrin  wrote:

> On Tue, Jul 30, 2013 at 5:36 PM, Blake Dunlap  wrote:
> > Well, I guess my first question is: Is this a design you are stuck with
> for
> > some reason or alternately, is there a good reason for it, and I need to
> be
> > educated as to real world design? It seems rather odd to put a firewall
> > boundry between a LB and its associated cluster as opposed to in front of
> > the LB.
>
> Howdy,
>
> Paperwork. The customer owns 3 servers in a system of a consisting of
> a hundred or so. He wants his security people to accredit it. They
> won't accredit individual servers, so his options were: duplicate the
> full system just for him (very expensive) or create a security
> boundary where he can say, "This is my enclave. Accredit my enclave."
>
> Naturally his security people decide that they don't want the
> firewalls to be additional servers running Linux. That would make it
> far too easy to secure his system. I don't yet know if they'd accept
> an appliance running Linux underneath. :/
>
> -Bill
>
>
> --
> William D. Herrin  her...@dirtside.com  b...@herrin.us
> 3005 Crane Dr. .. Web: 
> Falls Church, VA 22042-3004
>

Re: which firewall product?

[Richard Golodner]

On Tue, 2013-07-30 at 18:15 -0500, Jimmy Hess wrote:
> I would encourage looking at  Checkpoint / Palo
> Alto / Stonegate / Sonicwall/  some others.
> 
If this were me, I would give Stonegate a call and explain what I
wanted to have happen. They are knowledgeable and kind folks.   
I can't speculate about the IPIP tunnels, but they will be able to give
you an answer.
I have used their products and found them to be very good.
Then again, this is just me. Good luck solving your problem.
Richard

Re: which firewall product?

[Jimmy Hess]

On 7/30/13, William Herrin  wrote:
> Hi folks,

I don't know about IPIP tunnel inspection;  it seems like an odd
requirement to me, unless you mean  _preventing_ IPIP tunnels from
being established,  in that case a non-appliance solution may be
necessary.Is the IPIP tunnel supposed to land on the firewall; or
to traverse it?  I would encourage looking at  Checkpoint / Palo
Alto / Stonegate / Sonicwall/  some others.

I think  LAN "firewall products"   that  cannot   do SSL decryption
and  application identification (regardless of TCP port number)   have
begun to outlive their usefulness;the ASA pretty much falls in
that category unless you bought lots of expensive addons,   and unless
Cisco finally  fixed  all the nasty bugs that occur if you actually
attempted to use  the deep protocol inspection features?


> I'm trying to identify a firewall appliance for one of my customers.
> The wrinkle is: it has to be able to inspect packets inside an IPIP
> tunnel and accept/reject based on IP address, TCP port number and
> standard things like that. On the packet carried *inside* the IPIP
> tunnel packet.

> From what I can tell, the Cisco ASA can't do this.


> --
> William D. Herrin  her...@dirtside.com  b...@herrin.us
--
-JH

Re: which firewall product?

[Owen DeLong]

On Jul 30, 2013, at 13:10 , Charles N Wyble  
wrote:

> Not sure how bsd handles ipip connections. If it breaks them out as a 
> dedicated interface (like it does for openvpn connections) , then rules can 
> be applied and pfsense would be quite useful. The UI is very simple. 

That would only work if the firewall were terminating the tunnel instead of 
passing the tunneled traffic through still inside the tunnel.

I believe Bill is looking for DPI on forwarded traffic and not to decapsulate 
the traffic prior to inspection.

Owen

> 
> Warren Bailey  wrote:
>> Look into pfsense. It's rock solid and bad based, and can be purchased
>> as an appliance. (both real and vm)
>> 
>> 
>> Sent from my Mobile Device.
>> 
>> 
>>  Original message 
>> From: William Herrin 
>> Date: 07/30/2013 1:02 PM (GMT-08:00)
>> To: nanog@nanog.org
>> Subject: which firewall product?
>> 
>> 
>> Hi folks,
>> 
>> I'm trying to identify a firewall appliance for one of my customers.
>> The wrinkle is: it has to be able to inspect packets inside an IPIP
>> tunnel and accept/reject based on IP address, TCP port number and
>> standard things like that. On the packet carried *inside* the IPIP
>> tunnel packet.
>> 
>> 
>> From what I can tell, the Cisco ASA can't do this.
>> 
>> Linux iptables can (with the u32 match module) but the customer wants
>> an appliance, not a server.
>> 
>> What appliances do you know of that can do this? Is there a different
>> Cisco box? A Juniper firewall? Anything else?
>> 
>> Thanks in advance,
>> Bill Herrin
>> 
>> 
>> --
>> William D. Herrin  her...@dirtside.com  b...@herrin.us
>> 3005 Crane Dr. .. Web: 
>> Falls Church, VA 22042-3004
> 
> -- 
> Sent from my Android device with K-9 Mail. Please excuse my brevity.

Re: which firewall product?

[Owen DeLong]

Aren't there appliance versions that are just iptables/linux under the hood?

For example, IPCop, IPFire, Smoothwall, Untangle, and Vyatta should fit the 
bill.

Owen

On Jul 30, 2013, at 13:00 , William Herrin  wrote:

> Hi folks,
> 
> I'm trying to identify a firewall appliance for one of my customers.
> The wrinkle is: it has to be able to inspect packets inside an IPIP
> tunnel and accept/reject based on IP address, TCP port number and
> standard things like that. On the packet carried *inside* the IPIP
> tunnel packet.
> 
> 
>> From what I can tell, the Cisco ASA can't do this.
> 
> Linux iptables can (with the u32 match module) but the customer wants
> an appliance, not a server.
> 
> What appliances do you know of that can do this? Is there a different
> Cisco box? A Juniper firewall? Anything else?
> 
> Thanks in advance,
> Bill Herrin
> 
> 
> -- 
> William D. Herrin  her...@dirtside.com  b...@herrin.us
> 3005 Crane Dr. .. Web: 
> Falls Church, VA 22042-3004

Re: which firewall product?

[Kinkaid, Kyle]

Hi Bill,

I found nDPI (http://www.ntop.org/products/ndpi/) lists IP in IP as a
supported protocol.  That doesn't fit your requirement that it be an
appliance but maybe it gets you going in the right direction.

Cheers,
Kyle


On Tue, Jul 30, 2013 at 1:38 PM, William Herrin  wrote:

> On Tue, Jul 30, 2013 at 4:19 PM, Michael Brown 
> wrote:
> > In the pfSense UI, you create the physical interface as a GRE tunnel
> > then assign it to a logical interface against which you can apply the
> firewall rules:
>
> Thanks all. To be clear: I'm dealing with IPIP packets, not GRE
> packets. Linux LVS emits IPIP encapsulated packets when the target
> server is non-local. I have no option to emit GRE or another kind of
> tunnel packet.
>
> Also, I'd prefer not to terminate the IPIP tunnel on the firewall. I
> can, but I'd prefer not to. What I want to do is look inside at the
> packet encapsulated by IPIP. Even if I have to hand-crank the rules in
> terms of byte X inside the packet should be value Y.
>
> Thanks again,
> Bill Herrin
>
>
>
> --
> William D. Herrin  her...@dirtside.com  b...@herrin.us
> 3005 Crane Dr. .. Web: 
> Falls Church, VA 22042-3004
>
>

Re: which firewall product?

[William Herrin]

On Tue, Jul 30, 2013 at 5:36 PM, Blake Dunlap  wrote:
> Well, I guess my first question is: Is this a design you are stuck with for
> some reason or alternately, is there a good reason for it, and I need to be
> educated as to real world design? It seems rather odd to put a firewall
> boundry between a LB and its associated cluster as opposed to in front of
> the LB.

Howdy,

Paperwork. The customer owns 3 servers in a system of a consisting of
a hundred or so. He wants his security people to accredit it. They
won't accredit individual servers, so his options were: duplicate the
full system just for him (very expensive) or create a security
boundary where he can say, "This is my enclave. Accredit my enclave."

Naturally his security people decide that they don't want the
firewalls to be additional servers running Linux. That would make it
far too easy to secure his system. I don't yet know if they'd accept
an appliance running Linux underneath. :/

-Bill


-- 
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: which firewall product?

[Blake Dunlap]

Well, I guess my first question is: Is this a design you are stuck with for
some reason or alternately, is there a good reason for it, and I need to be
educated as to real world design? It seems rather odd to put a firewall
boundry between a LB and its associated cluster as opposed to in front of
the LB.

I've looked into something like this before for unrelated issues, and never
really was very happy with the results.

-Blake


On Tue, Jul 30, 2013 at 3:38 PM, William Herrin  wrote:

> On Tue, Jul 30, 2013 at 4:19 PM, Michael Brown 
> wrote:
> > In the pfSense UI, you create the physical interface as a GRE tunnel
> > then assign it to a logical interface against which you can apply the
> firewall rules:
>
> Thanks all. To be clear: I'm dealing with IPIP packets, not GRE
> packets. Linux LVS emits IPIP encapsulated packets when the target
> server is non-local. I have no option to emit GRE or another kind of
> tunnel packet.
>
> Also, I'd prefer not to terminate the IPIP tunnel on the firewall. I
> can, but I'd prefer not to. What I want to do is look inside at the
> packet encapsulated by IPIP. Even if I have to hand-crank the rules in
> terms of byte X inside the packet should be value Y.
>
> Thanks again,
> Bill Herrin
>
>
>
> --
> William D. Herrin  her...@dirtside.com  b...@herrin.us
> 3005 Crane Dr. .. Web: 
> Falls Church, VA 22042-3004
>
>

Re: which firewall product?

[William Herrin]

On Tue, Jul 30, 2013 at 4:19 PM, Michael Brown  wrote:
> In the pfSense UI, you create the physical interface as a GRE tunnel
> then assign it to a logical interface against which you can apply the 
> firewall rules:

Thanks all. To be clear: I'm dealing with IPIP packets, not GRE
packets. Linux LVS emits IPIP encapsulated packets when the target
server is non-local. I have no option to emit GRE or another kind of
tunnel packet.

Also, I'd prefer not to terminate the IPIP tunnel on the firewall. I
can, but I'd prefer not to. What I want to do is look inside at the
packet encapsulated by IPIP. Even if I have to hand-crank the rules in
terms of byte X inside the packet should be value Y.

Thanks again,
Bill Herrin



--
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004

Re: which firewall product?

[Michael Brown]

In the pfSense UI, you create the physical interface as a GRE tunnel
then assign it to a logical interface against which you can apply the
firewall rules:



The screenshot is a GIF IPv6 he.net tunnel (this is 2.1RC0) but it works
the same way on 2.0.1.

Works great!

M.

On 13-07-30 04:10 PM, Charles N Wyble wrote:
> Not sure how bsd handles ipip connections. If it breaks them out as a 
> dedicated interface (like it does for openvpn connections) , then rules can 
> be applied and pfsense would be quite useful. The UI is very simple. 

-- 
Michael Brown| The true sysadmin does not adjust his behaviour
Systems Administrator| to fit the machine.  He adjusts the machine
mich...@supermathie.net  | until it behaves properly.  With a hammer,
 | if necessary.  - Brian

RE: which firewall product?

[Charles N Wyble]

Not sure how bsd handles ipip connections. If it breaks them out as a dedicated 
interface (like it does for openvpn connections) , then rules can be applied 
and pfsense would be quite useful. The UI is very simple. 

Warren Bailey  wrote:
>Look into pfsense. It's rock solid and bad based, and can be purchased
>as an appliance. (both real and vm)
>
>
>Sent from my Mobile Device.
>
>
> Original message 
>From: William Herrin 
>Date: 07/30/2013 1:02 PM (GMT-08:00)
>To: nanog@nanog.org
>Subject: which firewall product?
>
>
>Hi folks,
>
>I'm trying to identify a firewall appliance for one of my customers.
>The wrinkle is: it has to be able to inspect packets inside an IPIP
>tunnel and accept/reject based on IP address, TCP port number and
>standard things like that. On the packet carried *inside* the IPIP
>tunnel packet.
>
>
>From what I can tell, the Cisco ASA can't do this.
>
>Linux iptables can (with the u32 match module) but the customer wants
>an appliance, not a server.
>
>What appliances do you know of that can do this? Is there a different
>Cisco box? A Juniper firewall? Anything else?
>
>Thanks in advance,
>Bill Herrin
>
>
>--
>William D. Herrin  her...@dirtside.com  b...@herrin.us
>3005 Crane Dr. .. Web: 
>Falls Church, VA 22042-3004

-- 
Sent from my Android device with K-9 Mail. Please excuse my brevity.

RE: which firewall product?

[Warren Bailey]

Look into pfsense. It's rock solid and bad based, and can be purchased as an 
appliance. (both real and vm)


Sent from my Mobile Device.


 Original message 
From: William Herrin 
Date: 07/30/2013 1:02 PM (GMT-08:00)
To: nanog@nanog.org
Subject: which firewall product?


Hi folks,

I'm trying to identify a firewall appliance for one of my customers.
The wrinkle is: it has to be able to inspect packets inside an IPIP
tunnel and accept/reject based on IP address, TCP port number and
standard things like that. On the packet carried *inside* the IPIP
tunnel packet.


>From what I can tell, the Cisco ASA can't do this.

Linux iptables can (with the u32 match module) but the customer wants
an appliance, not a server.

What appliances do you know of that can do this? Is there a different
Cisco box? A Juniper firewall? Anything else?

Thanks in advance,
Bill Herrin


--
William D. Herrin  her...@dirtside.com  b...@herrin.us
3005 Crane Dr. .. Web: 
Falls Church, VA 22042-3004