I'm looking to perform policy audits against firewall configurations and/or rulesets. This should be performed independently of any configuration management systems, ideally by operating off the running config. I am most interested in inspecting Cisco PIX/ASA/FWSM and Juniper NetScreen/JunOS devices, however iptables and WFP are also of interest. What techniques exist for doing this?
-
Also see http://security.stackexchange.com/questions/1982/automated-tools-for-cisco-ios-config-auditing – AviD May 27 '11 at 12:35
-
Reopened because of the "independant of...". However there are some good answers at http://security.stackexchange.com/questions/2157/what-tools-exist-to-manage-large-scale-firewall-rulesets regardless... – AviD May 28 '11 at 22:08
-
I recommend a tool called WallParse [http://www.wallparse.com/](http://www.wallparse.com) It can be used freely for 30 days and you can use SQL queries to go through checklists. Nipper Studio is great but quite expensive these days. It has some really good support for many firewall types though which is nice. – Sep 25 '15 at 19:55
3 Answers
I'd recommend nipper for this. Runs on a wide range of devices, and is targeted at firewall audits, rather than configuration management.
In my experience it's very easy to get working. Generally, you give it a copy of the config and it runs :)
- 60,923
- 14
- 136
- 217
-
I have only used nipper once, but it was as easy as @RoryM says - and a manual review confirmed it was pretty good. Gets all the stuff you would hope an automated tool could get! – Rory Alsop May 30 '11 at 08:17
Solarwinds' Firewall Browser (formerly of Athena Security) is a free tool that does this kind of analysis.
You didn't mention Checkpoint, but the Checkpoint Users Group (CPUG) has discussions of such tools--many of which are not Checkpoint specific.
Its not directly on point for a full firewall configuration audit, but my "Network Mom ACL Analyzer" (in the MacOS 10.14 App store) analyzes IPv4 security ACLs for the following Cisco platforms:
- ASA (with network object-groups but not service object-groups)
- IOS (without object-groups)
- IOS-XR (with object-groups)
- NX-OS (with object-groups)
It has the following features:
- Finds many types of syntax errors (assumes you edit your ACLs offline, since a running config always has valid syntax)
- Reports wildcard bits that do not match a subnet as errors (for IOS variants)
- Warns when IP/subnets that are not on a netmask or bit boundary
- Given a specific TCP or UDP socket and an ACL, it identifies lines in the ACL that permit/deny that socket
- It finds "duplicate" ACL lines
A "duplicate" ACL line is a line where the higher line is a strict superset of the lower line. This could mean that the lower line is unneeded. It also could mean that the higher line is "too broad". After all, every ACL is a "duplicate" of "permit ip any any".
For "playing" with the tool it also has a utility to generate "random" 2000-line ACLs for the above 4 platforms.
Here's a example of the validation and duplicate finding for ASA syntax:
Input:
access-list 101 extended permit bogus 1.0.0.0 255.255.255.0 2.0.0.0 255.255.255.0
access-list 101 extended permit tcp 1.0.0.1 255.255.255.0 2.0.0.0 255.255.255.0
access-list 101 extended permit tcp host 1.0.0.1 host 2.0.0.2
access-list 101 extended permit tcp host 1.0.0.1 range 10 20 host 2.0.0.2 lt 81
access-list 101 extended permit tcp host 1.0.0.1 eq 10 host 2.0.0.2 eq www
Output:
line 1: access-list 101 extended permit bogus 1.0.0.0 255.255.255.0 2.0.0.0 255.255.255.0
error line 1: invalid after action
line 2: access-list 101 extended permit tcp 1.0.0.1 255.255.255.0 2.0.0.0 255.255.255.0
warning line 2: Source IP not on netmask or bit boundary
warning Analyzed 4 Access Control Entries. ACL Name ["101"]
line 2: access-list 101 extended permit tcp 1.0.0.1 255.255.255.0 2.0.0.0 255.255.255.0
line 3: access-list 101 extended permit tcp host 1.0.0.1 host 2.0.0.2
line 4: access-list 101 extended permit tcp host 1.0.0.1 range 10 20 host 2.0.0.2 lt 81
line 5: access-list 101 extended permit tcp host 1.0.0.1 eq 10 host 2.0.0.2 eq www
line 3: access-list 101 extended permit tcp host 1.0.0.1 host 2.0.0.2
line 4: access-list 101 extended permit tcp host 1.0.0.1 range 10 20 host 2.0.0.2 lt 81
line 5: access-list 101 extended permit tcp host 1.0.0.1 eq 10 host 2.0.0.2 eq www
line 4: access-list 101 extended permit tcp host 1.0.0.1 range 10 20 host 2.0.0.2 lt 81
line 5: access-list 101 extended permit tcp host 1.0.0.1 eq 10 host 2.0.0.2 eq www
It successfully finds permit/deny matches for a 50,000-line ACL in under 20 seconds.
Duplicate ACL detection for a 2,000-line ACL takes about 3 seconds. A 10,000-line ACL takes 25-times longer (a couple minutes).
Here's an example of finding lines in the above ACL that match a tcp socket from 1.0.0.1 port 244 to 2.0.0.2 port 80:
notification Socket configured: tcp sourceIp 1.0.0.1 sourcePort 244 destinationIp 2.0.0.2 destinationPort 80
result line 2: FIRST MATCH access-list 101 extended permit tcp 1.0.0.1 255.255.255.0 2.0.0.0 255.255.255.0
result line 3: ALSO MATCH access-list 101 extended permit tcp host 1.0.0.1 host 2.0.0.2
The most important trick when using the tool is to always set the correct device type. I should do a better job of warning on that if the majority of the lines are syntax errors.
Because ACLs are very sensitive, the tool went through Apple App Review and uses Apple's sandbox and hardened runtime features. The sandbox configuration does not allow the tool to initiate or receive network connections (one side effect is the tool does not support DNS hostnames in configurations). The tool does not save ACL information between runs. The tool can only open user-specified files. Files are opened read-only.
Disclaimer: I'm not claiming the tool is perfect, so always validate any answers the tool gives you yourself. Active development continues and I'm happy to take bug reports and ACL samples (particularly with object-groups or IPv6) for testing.
- 1,462
- 1
- 7
- 8