Go Back   AnandTech Forums > Hardware and Technology > Networking

Forums
· Hardware and Technology
· CPUs and Overclocking
· Motherboards
· Video Cards and Graphics
· Memory and Storage
· Power Supplies
· Cases & Cooling
· SFF, Notebooks, Pre-Built/Barebones PCs
· Networking
· Peripherals
· General Hardware
· Highly Technical
· Computer Help
· Home Theater PCs
· Consumer Electronics
· Digital and Video Cameras
· Mobile Devices & Gadgets
· Audio/Video & Home Theater
· Software
· Software for Windows
· All Things Apple
· *nix Software
· Operating Systems
· Programming
· PC Gaming
· Console Gaming
· Distributed Computing
· Security
· Social
· Off Topic
· Politics and News
· Discussion Club
· Love and Relationships
· The Garage
· Health and Fitness
· Home and Garden
· Merchandise and Shopping
· For Sale/Trade
· Hot Deals with Free Stuff/Contests
· Black Friday 2014
· Forum Issues
· Technical Forum Issues
· Personal Forum Issues
· Suggestion Box
· Moderator Resources
· Moderator Discussions
   

Reply
 
Thread Tools
Old 01-29-2013, 12:51 PM   #1
ViviTheMage
Lifer
 
ViviTheMage's Avatar
 
Join Date: Dec 2002
Location: Minneapolis
Posts: 35,302
Question I just thought of a tool that would be very useful

So all day I get requests asking, can I do this from this host to that host?

Basically, it would be cool if a program could take a running configuration of a FW, and spit out what certain ip's are allowed to access to what.

So if I punch in an IP, it can tell me that yes it can ping/snmp/ftp/ssh/whatever to this IP.

Does this exist, or did I just make someone very rich with my idea?
__________________
Mad Genius Hosting -Web hosting, Cloud VPS, and Dedicated solutions...
30% off ALL services : AT30-vivi

vivi's blog

239-0-0
ViviTheMage is offline   Reply With Quote
Old 01-29-2013, 01:16 PM   #2
imagoon
Diamond Member
 
imagoon's Avatar
 
Join Date: Feb 2003
Location: Chicagoland, IL
Posts: 4,901
Default

netsh advfirewall firewall show rule name=all

?
imagoon is offline   Reply With Quote
Old 01-29-2013, 01:25 PM   #3
ViviTheMage
Lifer
 
ViviTheMage's Avatar
 
Join Date: Dec 2002
Location: Minneapolis
Posts: 35,302
Default

This is for an environment with multiple vendors/firewalls... ASA's, checkpoints, etc
__________________
Mad Genius Hosting -Web hosting, Cloud VPS, and Dedicated solutions...
30% off ALL services : AT30-vivi

vivi's blog

239-0-0
ViviTheMage is offline   Reply With Quote
Old 01-29-2013, 01:29 PM   #4
imagoon
Diamond Member
 
imagoon's Avatar
 
Join Date: Feb 2003
Location: Chicagoland, IL
Posts: 4,901
Default

Quote:
Originally Posted by ViviTheMage View Post
This is for an environment with multiple vendors/firewalls... ASA's, checkpoints, etc
Ah.

BMC Network Automation has something like that.
imagoon is offline   Reply With Quote
Old 01-29-2013, 01:47 PM   #5
ViviTheMage
Lifer
 
ViviTheMage's Avatar
 
Join Date: Dec 2002
Location: Minneapolis
Posts: 35,302
Default

I just want a way to plop in a configuration from a FW, and then track what an IP is allowed to do, source/destination ... that looks more like configuration management.
__________________
Mad Genius Hosting -Web hosting, Cloud VPS, and Dedicated solutions...
30% off ALL services : AT30-vivi

vivi's blog

239-0-0
ViviTheMage is offline   Reply With Quote
Old 01-29-2013, 04:25 PM   #6
imagoon
Diamond Member
 
imagoon's Avatar
 
Join Date: Feb 2003
Location: Chicagoland, IL
Posts: 4,901
Default

Quote:
Originally Posted by ViviTheMage View Post
I just want a way to plop in a configuration from a FW, and then track what an IP is allowed to do, source/destination ... that looks more like configuration management.
It is that also. It is a rather involved product. I use it and basically only touch on about 10% of what it can do.
imagoon is offline   Reply With Quote
Old 01-29-2013, 04:26 PM   #7
ViviTheMage
Lifer
 
ViviTheMage's Avatar
 
Join Date: Dec 2002
Location: Minneapolis
Posts: 35,302
Default

Any idea on its cost?
__________________
Mad Genius Hosting -Web hosting, Cloud VPS, and Dedicated solutions...
30% off ALL services : AT30-vivi

vivi's blog

239-0-0
ViviTheMage is offline   Reply With Quote
Old 01-29-2013, 04:32 PM   #8
imagoon
Diamond Member
 
imagoon's Avatar
 
Join Date: Feb 2003
Location: Chicagoland, IL
Posts: 4,901
Default

Quote:
Originally Posted by ViviTheMage View Post
Any idea on its cost?
It is fairly hefty and is licensed per node it manages. I have seen 120k+ prices for some of my customers. I honestly don't expect it to work for you unless you are a fortune 1000. I would approach your request via the reporting system. BNA pulls in config and stores them locally (along with history) and you can build a report that would look at the rules and tell you what can and can't get out based on ip / ip segment / zone etc.

It would be nice to see a linux variant that did something like this cheaper.
imagoon is offline   Reply With Quote
Old 01-29-2013, 04:50 PM   #9
ViviTheMage
Lifer
 
ViviTheMage's Avatar
 
Join Date: Dec 2002
Location: Minneapolis
Posts: 35,302
Default

I was just thinking of a simple way for users to stop asking me this simple question ... I work for a company in the fortune 1000 ;D
__________________
Mad Genius Hosting -Web hosting, Cloud VPS, and Dedicated solutions...
30% off ALL services : AT30-vivi

vivi's blog

239-0-0
ViviTheMage is offline   Reply With Quote
Old 01-29-2013, 05:27 PM   #10
theevilsharpie
Platinum Member
 
Join Date: Nov 2009
Location: Southern California
Posts: 2,320
Default

Quote:
Originally Posted by ViviTheMage View Post
So all day I get requests asking, can I do this from this host to that host?

Basically, it would be cool if a program could take a running configuration of a FW, and spit out what certain ip's are allowed to access to what.

So if I punch in an IP, it can tell me that yes it can ping/snmp/ftp/ssh/whatever to this IP.

Does this exist, or did I just make someone very rich with my idea?
As you mentioned in this thread, you have multiple devices that need to be queried, each with their own interfaces. This would require some type of broker software that presents a unified interface for your various devices. Today, such software is very expensive as it needs to maintain compatibility with a broad range of devices, and the fact that interfaces can change without warning makes such software necessarily fragile.

An alternative approach is to produce an interface standard which management applications can use to control an arbitrary device. This is the goal of software-defined networking, and while the technology is still in its infancy for various technical and political reasons, it will undoubtedly bring riches to the first person to bring it into the mainstream.
theevilsharpie is offline   Reply With Quote
Old 01-29-2013, 05:31 PM   #11
ViviTheMage
Lifer
 
ViviTheMage's Avatar
 
Join Date: Dec 2002
Location: Minneapolis
Posts: 35,302
Default

I definitely don't have software building experience, haha. I might ask the programmers if something like this is possible.

Would be nice if we could just do it in ASA's at this point ... since that is 80%~ of the requests.
__________________
Mad Genius Hosting -Web hosting, Cloud VPS, and Dedicated solutions...
30% off ALL services : AT30-vivi

vivi's blog

239-0-0
ViviTheMage is offline   Reply With Quote
Old 01-29-2013, 10:40 PM   #12
Gryz
Senior Member
 
Gryz's Avatar
 
Join Date: Aug 2010
Posts: 459
Default

Why check configs ?
Why not just let your users try and see if packets get through ?

In 1994 I wrote a small utility to send a TCP syn packet, and measure the time in milliseconds when I got my SYN+ACK back. I used that to test priority queuing. I called it tcpping. I should have the source (C) somewhere on an old harddisk.

Then I thought: if I had the idea to write a tcpping back then, I am sure others must have done the exact same since then. A quick google revealed a few similar tools.
http://www.vdberg.org/~richard/tcpping.html
http://www.elifulkerson.com/projects/tcping.php

Something else I found: tcptraceroute.
http://michael.toren.net/code/tcptraceroute/

Not sure if tools like those are good enough for your customers. But personally, I would trust a tool like that more than any 3rd party tool that checks configs.

Last edited by Gryz; 01-29-2013 at 10:42 PM.
Gryz is offline   Reply With Quote
Old 01-29-2013, 11:05 PM   #13
ViviTheMage
Lifer
 
ViviTheMage's Avatar
 
Join Date: Dec 2002
Location: Minneapolis
Posts: 35,302
Default

Why? Because users say things are intermittent, and claim it is the network until I can trace and provide proof that the rules are indeed inplace.

We block a LOT of protocols, like ICMP that those tools would use.
__________________
Mad Genius Hosting -Web hosting, Cloud VPS, and Dedicated solutions...
30% off ALL services : AT30-vivi

vivi's blog

239-0-0
ViviTheMage is offline   Reply With Quote
Old 01-30-2013, 10:14 AM   #14
Nothinman
Elite Member
 
Nothinman's Avatar
 
Join Date: Sep 2001
Posts: 30,672
Default

Cisco ASAs have a packet-tracer command that does kinda what you want. You put in the source and destination information and it shows all of the steps the ASA takes on the packet (e.g. routing, NAT/PAT, ACLs, etc) and shows the results of each step.

It wouldn't work well for end users because it requires one to have basic networking knowledge that most of them don't care to know or remember.
__________________
http://www.debian.org
Nothinman is offline   Reply With Quote
Old 01-30-2013, 10:23 AM   #15
ViviTheMage
Lifer
 
ViviTheMage's Avatar
 
Join Date: Dec 2002
Location: Minneapolis
Posts: 35,302
Default

Basic networking knowledge is where they lack ... 90% of the time they just point their finger at the network, when it is a db/app issue.
__________________
Mad Genius Hosting -Web hosting, Cloud VPS, and Dedicated solutions...
30% off ALL services : AT30-vivi

vivi's blog

239-0-0
ViviTheMage is offline   Reply With Quote
Old 01-30-2013, 10:24 AM   #16
Nothinman
Elite Member
 
Nothinman's Avatar
 
Join Date: Sep 2001
Posts: 30,672
Default

Which means that no tool will help you because your users will either use it incorrectly or ignore it anyway.
__________________
http://www.debian.org
Nothinman is offline   Reply With Quote
Old 01-30-2013, 10:30 AM   #17
ViviTheMage
Lifer
 
ViviTheMage's Avatar
 
Join Date: Dec 2002
Location: Minneapolis
Posts: 35,302
Default

If they could just input source IP and destination IP, and the program/script would look at the rules, and determine what ports it has open, that would save me oodles of time.
__________________
Mad Genius Hosting -Web hosting, Cloud VPS, and Dedicated solutions...
30% off ALL services : AT30-vivi

vivi's blog

239-0-0
ViviTheMage is offline   Reply With Quote
Old 01-30-2013, 10:42 AM   #18
Nothinman
Elite Member
 
Nothinman's Avatar
 
Join Date: Sep 2001
Posts: 30,672
Default

I don't know about other devices, but for an ASA or IOS device that could probably be done via a quick perl script. Even if you don't want the external dependencies on some of the Cisco-specific modules you could just have it ssh in and run 'show config' and then parse the ACLs from that.
__________________
http://www.debian.org
Nothinman is offline   Reply With Quote
Old 01-30-2013, 11:37 AM   #19
ViviTheMage
Lifer
 
ViviTheMage's Avatar
 
Join Date: Dec 2002
Location: Minneapolis
Posts: 35,302
Default

Yeah, that would work, I might chat with one of our developers about it too...shit they're the ones asking most of the time.
__________________
Mad Genius Hosting -Web hosting, Cloud VPS, and Dedicated solutions...
30% off ALL services : AT30-vivi

vivi's blog

239-0-0
ViviTheMage is offline   Reply With Quote
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT -5. The time now is 09:23 PM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.