Thanks Scott,

You are probably referring to Cirrus network management. I forgot to mention that I had evaluated this product as well. It does have a nice policy reporting feature, but I found that I could not insert ACEs in the middle of an ACL with this tool like I could with Cisco Security Manager. The entries would go to the bottom of the ACL no matter where you configured it within the device config. This is the main reason I decided against using Cirrus. I don't think it was very expensive though.

Thanks again for your reply

Mark

A google search turned up this http://www.cyberoperations.com/accesscontrolacl.html

seems like the kind of thing

Scott,

This may be what I am looking for! From what little I have read about it so far, I can see that you do understand what I am looking for. I am going to read more about it. Thank you for the link.

Thanks,

Mark

From what I could tell that application only managed ACL's on routers. I could be mistaken.

We reviewed an application from Solsoft which does several flavors of firewalls, vpn concentrators, and acls on routers. Might want to give them a look.

http://www.solsoft.com

Jim,

Solsoft did present their policy server solution to us. Like I said earlier, it does appear to be a good product, but is a little pricey.

The Cyberoperations product does support various routers and firewalls to include PIX. I have a demo server being shipped to me. I will post my results to this forum.

Thanks,

Mark

I was able to demo the Cyberoperations "ACL Compliance Director" product. It is infact the type of product I was looking for. It is very user friendly and offers some nice features for centrally managing ACLs. They are also open to suggestions to their product. I had suggested per device overrides for the network groups that you can configure that are kind of like object-groups on PIX/ASA firewalls even though they are not actually sent to the device during the ACL deployment. They are looking to implement this as well as a color code for ACLs that will show up in the Target summary list so I would be able to see at a glance that my policies were assigned to my devices as I had intended. There were a couple of other smaller suggestions too. They are more than willing to work with you on your needs. I would recommend this product to anyone that is looking for this type of product.

NOTE: One issue that I haven't heard back on is that with PIX firewalls the ACL is first removed and then replaced by the new updated ACL. During testing I found that it took ~10 seconds before the ACL was reapplied. During this time, the access was wide open from the inside interface. I had suggested using a incrementing ACL solution where the ACL would first be configured and then applied to the interface replacing the old ACL which could then be removed. I haven't heard back on this suggestion yet. This only affects the PIX and ASA currently, but they are looking to use ssh/tftp or ssh/ftp or ssh/sftp to deploy the ACL to the ASA the way they do on routers currently. This is suppose to remove the ~10 second delay issue that I see on the PIX.