01-30-2008 07:01 AM - edited 02-21-2020 01:53 AM
Does anyone know of a tool that manages ASA/PIX/IOS ACLs? I am looking for a tool that can maintain shared policies and allow for local policies as well. Using the shared policies, I would like to be able to make one change to the policy and have it reflected to all the devices that share that policy.
I have evaluated Cisco Security Manager. I like the way the Access-rule portion functions, but I don't need it to manage any other part of my firewall configs. I have seen a bug where CSM wasn't able to detect port speed of the ASA5505. This bug would have left a large portion of our network down and unreachable for some time. Being able to use CSM to manage only the ACLs of my devices would reduce the chances of a bug bringing down my network and leaving the devices unreachable.
I also evaluated Solsoft Policy Server. This is a very slick approach to managing access on a network, but is a bit pricey. I may revisit this in the future if I am still in need of a solution.
I appreciate any suggestions.
Thank you,
Mark
01-30-2008 07:25 AM
solar winds provides a really good if expensive management agent don't know if it does what you want it to exactly but it is worth a look.
01-30-2008 07:30 AM
Thanks Scott,
You are probably referring to Cirrus network management. I forgot to mention that I had evaluated this product as well. It does have a nice policy reporting feature, but I found that I could not insert ACEs in the middle of an ACL with this tool like I could with Cisco Security Manager. The entries would go to the bottom of the ACL no matter where you configured it within the device config. This is the main reason I decided against using Cirrus. I don't think it was very expensive though.
Thanks again for your reply
Mark
01-30-2008 07:35 AM
A google search turned up this http://www.cyberoperations.com/accesscontrolacl.html
seems like the kind of thing
01-30-2008 07:46 AM
Scott,
This may be what I am looking for! From what little I have read about it so far, I can see that you do understand what I am looking for. I am going to read more about it. Thank you for the link.
Thanks,
Mark
02-11-2008 01:33 PM
From what I could tell that application only managed ACL's on routers. I could be mistaken.
We reviewed an application from Solsoft which does several flavors of firewalls, vpn concentrators, and acls on routers. Might want to give them a look.
02-12-2008 05:16 AM
Jim,
Solsoft did present their policy server solution to us. Like I said earlier, it does appear to be a good product, but is a little pricey.
The Cyberoperations product does support various routers and firewalls to include PIX. I have a demo server being shipped to me. I will post my results to this forum.
Thanks,
Mark
02-28-2008 01:02 PM
I was able to demo the Cyberoperations "ACL Compliance Director" product. It is infact the type of product I was looking for. It is very user friendly and offers some nice features for centrally managing ACLs. They are also open to suggestions to their product. I had suggested per device overrides for the network groups that you can configure that are kind of like object-groups on PIX/ASA firewalls even though they are not actually sent to the device during the ACL deployment. They are looking to implement this as well as a color code for ACLs that will show up in the Target summary list so I would be able to see at a glance that my policies were assigned to my devices as I had intended. There were a couple of other smaller suggestions too. They are more than willing to work with you on your needs. I would recommend this product to anyone that is looking for this type of product.
NOTE: One issue that I haven't heard back on is that with PIX firewalls the ACL is first removed and then replaced by the new updated ACL. During testing I found that it took ~10 seconds before the ACL was reapplied. During this time, the access was wide open from the inside interface. I had suggested using a incrementing ACL solution where the ACL would first be configured and then applied to the interface replacing the old ACL which could then be removed. I haven't heard back on this suggestion yet. This only affects the PIX and ASA currently, but they are looking to use ssh/tftp or ssh/ftp or ssh/sftp to deploy the ACL to the ASA the way they do on routers currently. This is suppose to remove the ~10 second delay issue that I see on the PIX.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide