• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

I just thought of a tool that would be very useful

ViviTheMage

ViviTheMage

Lifer
So all day I get requests asking, can I do this from this host to that host?

Basically, it would be cool if a program could take a running configuration of a FW, and spit out what certain ip's are allowed to access to what.

So if I punch in an IP, it can tell me that yes it can ping/snmp/ftp/ssh/whatever to this IP.

Does this exist, or did I just make someone very rich with my idea? 😀
 
I just want a way to plop in a configuration from a FW, and then track what an IP is allowed to do, source/destination ... that looks more like configuration management.
 
ViviTheMage said:
I just want a way to plop in a configuration from a FW, and then track what an IP is allowed to do, source/destination ... that looks more like configuration management.
Click to expand...

It is that also. It is a rather involved product. I use it and basically only touch on about 10% of what it can do.
 
ViviTheMage said:
Any idea on its cost?
Click to expand...

It is fairly hefty and is licensed per node it manages. I have seen 120k+ prices for some of my customers. I honestly don't expect it to work for you unless you are a fortune 1000. I would approach your request via the reporting system. BNA pulls in config and stores them locally (along with history) and you can build a report that would look at the rules and tell you what can and can't get out based on ip / ip segment / zone etc.

It would be nice to see a linux variant that did something like this cheaper.
 
I was just thinking of a simple way for users to stop asking me this simple question ... I work for a company in the fortune 1000 ;D
 
ViviTheMage said:
So all day I get requests asking, can I do this from this host to that host?

Basically, it would be cool if a program could take a running configuration of a FW, and spit out what certain ip's are allowed to access to what.

So if I punch in an IP, it can tell me that yes it can ping/snmp/ftp/ssh/whatever to this IP.

Does this exist, or did I just make someone very rich with my idea? 😀
Click to expand...

As you mentioned in this thread, you have multiple devices that need to be queried, each with their own interfaces. This would require some type of broker software that presents a unified interface for your various devices. Today, such software is very expensive as it needs to maintain compatibility with a broad range of devices, and the fact that interfaces can change without warning makes such software necessarily fragile.

An alternative approach is to produce an interface standard which management applications can use to control an arbitrary device. This is the goal of software-defined networking, and while the technology is still in its infancy for various technical and political reasons, it will undoubtedly bring riches to the first person to bring it into the mainstream.
 
I definitely don't have software building experience, haha. I might ask the programmers if something like this is possible.

Would be nice if we could just do it in ASA's at this point ... since that is 80%~ of the requests.
 
Why check configs ?
Why not just let your users try and see if packets get through ?

In 1994 I wrote a small utility to send a TCP syn packet, and measure the time in milliseconds when I got my SYN+ACK back. I used that to test priority queuing. I called it tcpping. I should have the source (C) somewhere on an old harddisk.

Then I thought: if I had the idea to write a tcpping back then, I am sure others must have done the exact same since then. A quick google revealed a few similar tools.
http://www.vdberg.org/~richard/tcpping.html
http://www.elifulkerson.com/projects/tcping.php

Something else I found: tcptraceroute.
http://michael.toren.net/code/tcptraceroute/

Not sure if tools like those are good enough for your customers. But personally, I would trust a tool like that more than any 3rd party tool that checks configs.
 
Last edited:
Why? Because users say things are intermittent, and claim it is the network until I can trace and provide proof that the rules are indeed inplace.

We block a LOT of protocols, like ICMP that those tools would use.
 
Cisco ASAs have a packet-tracer command that does kinda what you want. You put in the source and destination information and it shows all of the steps the ASA takes on the packet (e.g. routing, NAT/PAT, ACLs, etc) and shows the results of each step.

It wouldn't work well for end users because it requires one to have basic networking knowledge that most of them don't care to know or remember.
 
Basic networking knowledge is where they lack ... 90% of the time they just point their finger at the network, when it is a db/app issue.
 
If they could just input source IP and destination IP, and the program/script would look at the rules, and determine what ports it has open, that would save me oodles of time.
 
I don't know about other devices, but for an ASA or IOS device that could probably be done via a quick perl script. Even if you don't want the external dependencies on some of the Cisco-specific modules you could just have it ssh in and run 'show config' and then parse the ACLs from that.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top