User Tools

Site Tools


When to use a SHIM tunnel

Some highly secure environments do not allow general purpose tunnels like GRE or VPN. In those sites, the shim tunnel comes in handy. But the receiver needs to support detunneling.

This nfshim daemon adds a 12 byte shim header before the Netflow header.


Primary use case : Accepts Netflow from multiple routers relays it to a receiver as a shim tunnel.

Using this shim technique, NETFLOW/SFLOW from routers in a DMZ can be tunneled to an internal Security Zone where Trisul NetworK Analytics is running. Relaying netflow to a remote Trisul without using NAT GRE or VPN tunneling. This of course requires the netflow collector to support the ability to unpack the packets. Trisul Network Analytics can do that.

hardware/shimtunnelintro.txt · Last modified: 2019/07/13 18:41 by veera