Re: [fw-wiz] Recommendations on modeler/change manger for PIX & FWSM



Brian,

If you are willing to try commercial tools, you can try the Firewall Analyzer
http://www.algosec.com
It handles what you called "modeling" part (what will the firewall do
with this traffic), and also tracks changes to the pix configs, plus an
automatic risk assessment.

Full disclosure: I created this thing from way back when it was
a Bell-Labs research project, so I'm naturally biased.

Cheers,
Avishai
--
Avishai Wool, Ph.D.,
Chief Technical Officer, Algorithmic Security Inc.
http://www.algosec.com
**** Want to audit or debug your firewall's policy? ***


On 1/25/06, Brian Loe <knobdy@xxxxxxxxx> wrote:
> > On 1/24/06, Cary, Kim <Kim.Cary@xxxxxxxxxxxxxx> wrote:
> > > Been watching the list with interest for about 6 months! Thanks for the good
> > > discussion.
> > >
> > > We have several PIX & FWSM (PIX Blades) our team is managing. We've been
> > > using PDM (Cisco's Java tool for managing PIX) for distributed
> > > administration, but we've been getting tired of its shortcomings in
> > > documenting our rules. Also, we'd like to find something that handles change
> > > management (reporting, maybe rollback or state snapshots) and modeling (if
> > > traffic from 'here' starts to go 'there' what does the firewall do).
> >
>
> I've implemented a perl script and SVN based solution here for
> managing config changes - archiving/versioning them. Depending on
> where the devices are located in relation to where you run the
> scripts from it can wait to receive a trap stating the config has
> changed or run from a cron job and go grab it. E-mail me off-list and
> I'll give you what I've got.
>
> Can't help with the rest - though you could, in theory, use these
> scripts as a basis for creating new configs to upload programmaticly.
> The perl modules available are pretty robust.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@xxxxxxxxxxxxxxxxxx
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>


--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards



Relevant Pages

  • Re: NTP security hole CVE-2013-5211?
    ... Firewall is for filtering traffic, but not for hiding buggy configs. ... Only allow the network you want to your NTP serverand deny the others. ... We do not want to enforce our configuration changes to users who might have a good reason for having an alternative setup! ...
    (FreeBSD-Security)
  • RE: Firewall Rule Visualisation
    ... configs. ... Subject: Firewall Rule Visualisation ... Specifically Pix rule sets if possible. ...
    (Pen-Test)
  • Cisco PIX 515 and VPN
    ... I can connect to a PIX 515 from an XP workstaion. ... firewall what configs do I add so a can access the remote network? ...
    (comp.security.firewalls)
  • Re: And another Ubuntu convert!
    ... Which is why Ubuntu Desktop versions don't install one. ... you can configure the firewall to only allow connection attempts ... decide whether or not to trust them by allowing any scripts. ... do anything harmful (activex, of course, is just one huge vulnerability). ...
    (Ubuntu)
  • Re: New User - Part 2
    ... >Do you happen to have any good workable iptable scripts for newbies to ... I can now get a decent firewall up ... and running in about 45 seconds, with no notes and no previous scripts. ... Shorewall puts all files into /etc/shorewall. ...
    (Fedora)