Re: [fw-wiz] Recommendations on modeler/change manger for PIX & FWSM

Brian,

If you are willing to try commercial tools, you can try the Firewall Analyzer
http://www.algosec.com
It handles what you called "modeling" part (what will the firewall do
with this traffic), and also tracks changes to the pix configs, plus an
automatic risk assessment.

Full disclosure: I created this thing from way back when it was
a Bell-Labs research project, so I'm naturally biased.

Cheers,
Avishai
--
Avishai Wool, Ph.D.,
Chief Technical Officer, Algorithmic Security Inc.
http://www.algosec.com
**** Want to audit or debug your firewall's policy? ***


On 1/25/06, Brian Loe <knobdy@xxxxxxxxx> wrote:
> > On 1/24/06, Cary, Kim <Kim.Cary@xxxxxxxxxxxxxx> wrote:
> > > Been watching the list with interest for about 6 months! Thanks for the good
> > > discussion.
> > >
> > > We have several PIX & FWSM (PIX Blades) our team is managing. We've been
> > > using PDM (Cisco's Java tool for managing PIX) for distributed
> > > administration, but we've been getting tired of its shortcomings in
> > > documenting our rules. Also, we'd like to find something that handles change
> > > management (reporting, maybe rollback or state snapshots) and modeling (if
> > > traffic from 'here' starts to go 'there' what does the firewall do).
> >
>
> I've implemented a perl script and SVN based solution here for
> managing config changes - archiving/versioning them. Depending on
> where the devices are located in relation to where you run the
> scripts from it can wait to receive a trap stating the config has
> changed or run from a cron job and go grab it. E-mail me off-list and
> I'll give you what I've got.
>
> Can't help with the rest - though you could, in theory, use these
> scripts as a basis for creating new configs to upload programmaticly.
> The perl modules available are pretty robust.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@xxxxxxxxxxxxxxxxxx
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
>


--
_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxx
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Relevant Pages

  • RE: Firewall Rule Visualisation
    ... configs. ... Subject: Firewall Rule Visualisation ... Specifically Pix rule sets if possible. ...
    (Pen-Test)
  • Cisco PIX 515 and VPN
    ... I can connect to a PIX 515 from an XP workstaion. ... firewall what configs do I add so a can access the remote network? ...
    (comp.security.firewalls)
  • Re: And another Ubuntu convert!
    ... Which is why Ubuntu Desktop versions don't install one. ... you can configure the firewall to only allow connection attempts ... decide whether or not to trust them by allowing any scripts. ... do anything harmful (activex, of course, is just one huge vulnerability). ...
    (Ubuntu)
  • Re: New User - Part 2
    ... >Do you happen to have any good workable iptable scripts for newbies to ... I can now get a decent firewall up ... and running in about 45 seconds, with no notes and no previous scripts. ... Shorewall puts all files into /etc/shorewall. ...
    (Fedora)
  • Re: OT: Speed test update.
    ... I don't miss linksys or netgear consumer grade crap. ... If anyone wants my firewall scripts, just let me know and I will post them. ... I will try to find time to anonymize my scripts and post them as a new thread in the next couple of days. ... I could put up a site on the free web space my ISP provides, but that would also give away my email address to anyone with half a working brain cell. ...
    (alt.2600)