I just thought of a tool that would be very useful

Discussion in 'Networking' started by ViviTheMage, Jan 29, 2013.

  1. ViviTheMage

    ViviTheMage Lifer

    Joined:
    Dec 12, 2002
    Messages:
    35,939
    Likes Received:
    9
    So all day I get requests asking, can I do this from this host to that host?

    Basically, it would be cool if a program could take a running configuration of a FW, and spit out what certain ip's are allowed to access to what.

    So if I punch in an IP, it can tell me that yes it can ping/snmp/ftp/ssh/whatever to this IP.

    Does this exist, or did I just make someone very rich with my idea? :D
     
  2. Loading...

    Similar Threads - thought tool Forum Date
    Is there a tool? Networking May 29, 2017
    Thoughts on TP-Link Archer C7 Networking May 24, 2016
    Moving. Thoughts on ISPs. TWC/Verizon Networking Mar 16, 2015
    Buying new Cisco switches...thoughts? Networking Jan 29, 2015
    your thoughts on thin clients? Wyse, Ncomputing, HP? Networking May 13, 2013

  3. imagoon

    imagoon Diamond Member

    Joined:
    Feb 19, 2003
    Messages:
    5,199
    Likes Received:
    0
    netsh advfirewall firewall show rule name=all

    ?
     
  4. ViviTheMage

    ViviTheMage Lifer

    Joined:
    Dec 12, 2002
    Messages:
    35,939
    Likes Received:
    9
    This is for an environment with multiple vendors/firewalls... ASA's, checkpoints, etc
     
  5. imagoon

    imagoon Diamond Member

    Joined:
    Feb 19, 2003
    Messages:
    5,199
    Likes Received:
    0
    Ah.

    BMC Network Automation has something like that.
     
  6. ViviTheMage

    ViviTheMage Lifer

    Joined:
    Dec 12, 2002
    Messages:
    35,939
    Likes Received:
    9
    I just want a way to plop in a configuration from a FW, and then track what an IP is allowed to do, source/destination ... that looks more like configuration management.
     
  7. imagoon

    imagoon Diamond Member

    Joined:
    Feb 19, 2003
    Messages:
    5,199
    Likes Received:
    0
    It is that also. It is a rather involved product. I use it and basically only touch on about 10% of what it can do.
     
  8. ViviTheMage

    ViviTheMage Lifer

    Joined:
    Dec 12, 2002
    Messages:
    35,939
    Likes Received:
    9
    Any idea on its cost?
     
  9. imagoon

    imagoon Diamond Member

    Joined:
    Feb 19, 2003
    Messages:
    5,199
    Likes Received:
    0
    It is fairly hefty and is licensed per node it manages. I have seen 120k+ prices for some of my customers. I honestly don't expect it to work for you unless you are a fortune 1000. I would approach your request via the reporting system. BNA pulls in config and stores them locally (along with history) and you can build a report that would look at the rules and tell you what can and can't get out based on ip / ip segment / zone etc.

    It would be nice to see a linux variant that did something like this cheaper.
     
  10. ViviTheMage

    ViviTheMage Lifer

    Joined:
    Dec 12, 2002
    Messages:
    35,939
    Likes Received:
    9
    I was just thinking of a simple way for users to stop asking me this simple question ... I work for a company in the fortune 1000 ;D
     
  11. theevilsharpie

    theevilsharpie Platinum Member

    Joined:
    Nov 2, 2009
    Messages:
    2,323
    Likes Received:
    13
    As you mentioned in this thread, you have multiple devices that need to be queried, each with their own interfaces. This would require some type of broker software that presents a unified interface for your various devices. Today, such software is very expensive as it needs to maintain compatibility with a broad range of devices, and the fact that interfaces can change without warning makes such software necessarily fragile.

    An alternative approach is to produce an interface standard which management applications can use to control an arbitrary device. This is the goal of software-defined networking, and while the technology is still in its infancy for various technical and political reasons, it will undoubtedly bring riches to the first person to bring it into the mainstream.
     
  12. ViviTheMage

    ViviTheMage Lifer

    Joined:
    Dec 12, 2002
    Messages:
    35,939
    Likes Received:
    9
    I definitely don't have software building experience, haha. I might ask the programmers if something like this is possible.

    Would be nice if we could just do it in ASA's at this point ... since that is 80%~ of the requests.
     
  13. Gryz

    Gryz Golden Member

    Joined:
    Aug 28, 2010
    Messages:
    1,307
    Likes Received:
    84
    Why check configs ?
    Why not just let your users try and see if packets get through ?

    In 1994 I wrote a small utility to send a TCP syn packet, and measure the time in milliseconds when I got my SYN+ACK back. I used that to test priority queuing. I called it tcpping. I should have the source (C) somewhere on an old harddisk.

    Then I thought: if I had the idea to write a tcpping back then, I am sure others must have done the exact same since then. A quick google revealed a few similar tools.
    http://www.vdberg.org/~richard/tcpping.html
    http://www.elifulkerson.com/projects/tcping.php

    Something else I found: tcptraceroute.
    http://michael.toren.net/code/tcptraceroute/

    Not sure if tools like those are good enough for your customers. But personally, I would trust a tool like that more than any 3rd party tool that checks configs.
     
    #12 Gryz, Jan 29, 2013
    Last edited: Jan 29, 2013
  14. ViviTheMage

    ViviTheMage Lifer

    Joined:
    Dec 12, 2002
    Messages:
    35,939
    Likes Received:
    9
    Why? Because users say things are intermittent, and claim it is the network until I can trace and provide proof that the rules are indeed inplace.

    We block a LOT of protocols, like ICMP that those tools would use.
     
  15. Nothinman

    Nothinman Elite Member

    Joined:
    Sep 14, 2001
    Messages:
    30,672
    Likes Received:
    0
    Cisco ASAs have a packet-tracer command that does kinda what you want. You put in the source and destination information and it shows all of the steps the ASA takes on the packet (e.g. routing, NAT/PAT, ACLs, etc) and shows the results of each step.

    It wouldn't work well for end users because it requires one to have basic networking knowledge that most of them don't care to know or remember.
     
  16. ViviTheMage

    ViviTheMage Lifer

    Joined:
    Dec 12, 2002
    Messages:
    35,939
    Likes Received:
    9
    Basic networking knowledge is where they lack ... 90% of the time they just point their finger at the network, when it is a db/app issue.
     
  17. Nothinman

    Nothinman Elite Member

    Joined:
    Sep 14, 2001
    Messages:
    30,672
    Likes Received:
    0
    Which means that no tool will help you because your users will either use it incorrectly or ignore it anyway.
     
  18. ViviTheMage

    ViviTheMage Lifer

    Joined:
    Dec 12, 2002
    Messages:
    35,939
    Likes Received:
    9
    If they could just input source IP and destination IP, and the program/script would look at the rules, and determine what ports it has open, that would save me oodles of time.
     
  19. Nothinman

    Nothinman Elite Member

    Joined:
    Sep 14, 2001
    Messages:
    30,672
    Likes Received:
    0
    I don't know about other devices, but for an ASA or IOS device that could probably be done via a quick perl script. Even if you don't want the external dependencies on some of the Cisco-specific modules you could just have it ssh in and run 'show config' and then parse the ACLs from that.
     
  20. ViviTheMage

    ViviTheMage Lifer

    Joined:
    Dec 12, 2002
    Messages:
    35,939
    Likes Received:
    9
    Yeah, that would work, I might chat with one of our developers about it too...shit they're the ones asking most of the time.