Re: [fw-wiz] Recommendations on modeler/change manger for PIX & FWSM


If you are willing to try commercial tools, you can try the Firewall Analyzer
It handles what you called "modeling" part (what will the firewall do
with this traffic), and also tracks changes to the pix configs, plus an
automatic risk assessment.

Full disclosure: I created this thing from way back when it was
a Bell-Labs research project, so I'm naturally biased.

Avishai Wool, Ph.D.,
Chief Technical Officer, Algorithmic Security Inc.
**** Want to audit or debug your firewall's policy? ***

On 1/25/06, Brian Loe <knobdy@xxxxxxxxx> wrote:
> > On 1/24/06, Cary, Kim <Kim.Cary@xxxxxxxxxxxxxx> wrote:
> > > Been watching the list with interest for about 6 months! Thanks for the good
> > > discussion.
> > >
> > > We have several PIX & FWSM (PIX Blades) our team is managing. We've been
> > > using PDM (Cisco's Java tool for managing PIX) for distributed
> > > administration, but we've been getting tired of its shortcomings in
> > > documenting our rules. Also, we'd like to find something that handles change
> > > management (reporting, maybe rollback or state snapshots) and modeling (if
> > > traffic from 'here' starts to go 'there' what does the firewall do).
> >
> I've implemented a perl script and SVN based solution here for
> managing config changes - archiving/versioning them. Depending on
> where the devices are located in relation to where you run the
> scripts from it can wait to receive a trap stating the config has
> changed or run from a cron job and go grab it. E-mail me off-list and
> I'll give you what I've got.
> Can't help with the rest - though you could, in theory, use these
> scripts as a basis for creating new configs to upload programmaticly.
> The perl modules available are pretty robust.
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@xxxxxxxxxxxxxxxxxx

firewall-wizards mailing list