Q:Hello,
Do we have a tool for analyzing Cisco ASA/PIX and router config files? The client has a 2500 line config, and I would like to be able run some reports on the configuration.
Thanks,
A:,
There are several audit tools with different features. The most common features in these tools are:
- Rule Analysis to detect security holes in the configuration (e.g. allow any)
- Configuration Analysis to find duplicate/overlapping unnecessary setting/rules/object
- Logfile analysis to find most used rules objects
- Rulebase analysis to find unused/unconsolidated objects rules
- Simulation of changes.
- Risk Analysis
- Access Analysis using multiple firewall rules (Can Point A reach at Point B using service C)
- Workflow automation
- Backup management
- Normalization of different firewall rules (e.g. Cisco Juniper Check Point on the same format)
- Change Management
- Regular Log Analysis
Of course, it is not possible to find all features on all solutions. Firewall vendors do also provide several tools to make audits easy.
That being said, I have seen 2 freeware config audit tools for Cisco (RAT and Nipper)
http://www.titania.co.uk/ Nipper
http://ncat.sourceforge.net/ RAT
Commercial Area is more active and they usually cover the known suspects (Check Point, Juniper, Cisco, Fortinet):
http://www.tufin.com SecureTrack, SecureChange Workflow
http://www.algosec.com Firewall Analyzer, FireFlow
http://www.securepassage.com Firemon
http://www.manageengine.com Firewall Log Analyzer
http://www.skyboxsecurity.com/ CertiFire, Firewall Analysis
http://www.redseal.net/ Redseal Vulnerability Advisor
http://www.athenasecurity.net FirePac, Verify
Let me know if you have a specific question.
cheers,
- yinal
