How to compare firewall rules & documentation?

Adam David · ‎10-16-2010

Hi guys,

One of my assignment is to compare firewall rules and make sure it match with the documentation sent by requestor.

Let say this is part of request sent by requestor.

source ip address = 192.168.1.1

source ip address = 172.16.1.1

protocol = tcp

port number = 3389

And this is firewall rules in ASA.


access-list acl-in permit tcp host 192.168.1.1 host 172.16.1.1 eq 3333

If you notice, source, destination & protocol are correct but port number are different. Is there any automated tools, or any tricks that can be used to compare these 2 documents? It would be nice if whatever similarity found in the document highlighted with green and whatever differences found highlighted in red.

I can do it this manually if only 1 or 2 document need to be check, but what if I have tons of them. It must be the most tedious work in the world.

Thanks guys.

Kureli Sankar · ‎10-16-2010

Hmm..interesting question. What document is this? Just a text based doc? Unfortunately there isn't an automated method that know of to accomplish what you are trying to do.

There are some tools that can automatically generate ACLs and other configs. You can use that to generate the ACLs using your document then do a sh access-l on the firewall and dump both those outputs in a diff. tool and see if it finds any diff.

The name of that automatic ACL generator/config is solsoft http://solsoft.com

Good luck.

-KS

Adam David · ‎10-16-2010

Thanks Kusankar for your reply.

First document is Microsoft Word which is the original request sent by requestor.

Source	Destination	Protocol & Service Port
192.168.1.1	172.16.1.1	Tcp3389

Second document is Cisco ASA “show run” in .txt file.

The purpose of this assignment is for audit process to make sure all firewall rules match with the original request. If there are any differences, probably a network engineer put this config wrongly and it need to be fix as soon as possible.

The automatic ACL generator/config tool that you share looks new. It was downloaded only 25 times. Have you tried it before?

When googling for automatic ACL generator, I’ve found this. But we need to put the firewall rules line by line.

http://www.chud.net/acl-maker.html

Kureli Sankar · ‎10-16-2010

I have never heard of or used Solsoft until a few weeks ago when one our customers mentioned that they didn't configure any of the ACLs but, they let Solsoft generate for them.

I can ask around and see if anyone in our team here knows of any automatic procedure to compare the request from a word doc with what is actually configured on the box. But, I don't think there is one.

I will let you know.

-KS

Adam David · ‎10-16-2010

Thanks Kusankar. I really hope there is better way than this. I’m so tired comparing these kind of documents. Hopefully there are tools out there which can do this automatically and save a lot of my precious time.

Currently, what am I doing is:

select an ip address / port number
copy (Ctrl + C)
go to second document (Alt + Tab)
find (Ctrl + F)
paste (Ctrl + V)
And highlight the item (let say with green color) that match with the previous document.
if not, then I’ll highlight with red color the item on first document.
then, I’ll repeat the process till I confirmed that everything is matching.

I’m so tired doing this

Kureli Sankar · ‎10-16-2010

Oh boy !! I feel your pain.

I have posted a question internally and I shall let you know the response if I hear any.

-KS

vladthebest · ‎10-17-2010

kusankar, with all due respect, the link you indicated is NOT an official download link for Solsoft software. What this site has merely done is to copy the setup and put up a link with Google which unfortunately ranks higher. I've attempted to download it, and it might be necessary to use a proprietary download client, which who knows what might contain and do. On the other hand, the software referenced is Solsoft Firewall Manager, which has been discontinued for almost 4 years now. And even if you managed to download it from this software informer site, you would have need a license in order to run it.

Ok, now to clarify a little what can Solsoft software can do (and what it can't do) (a client/server version was continued after Solsoft Firewall Manager has been discontinued). Solsoft software could generate a security policy from a graphical interface i.e. you would take your Word document with the security policies, and you would draw your network (with firewalls, networks etc.) and you would draw for instance a permission from one network to another. Once your topology was designed, a compiler would calculate AND optimize this policy, and this optimized policy would have been pushed onto all your devices. Next time, when you would do a modification, it would also calculate 2 things (depending on the supported device): this new rule what would impact? If it could calculate the differences between the 2 policies it would update only the difference, and if the policy would have been altered on the device it would alert you...

But what is required to do here, manually insure that the installed policy is equal to some free format Word document, I doubt that there is a software out there capable of doing such thing.

Kureli Sankar · ‎10-17-2010

Vladimir,

Thanks for pointing out the link. I quickly googled and enclosed that link. I just fixed the link above. I mentioned that I had never used this but just heard about solsoft a few days ago. I agree, to what I know there isn't a tool that would automate the process.

-KS

lanli_ltp · ‎10-18-2010

Adam,

Are you using object groups in your firewall rules? If so, the simple text search can't solve your problem. You need a firewall rule seach tool that automatically checks the object definition referred in the firewall rule against the IP address and the Port number specified in your request document. There is a free tool, called Firewall Browser, you may take a look.

-LL

djakopac630 · ‎10-18-2010

You can find Firewall Browser here: http://www.athenasecurity.net/firewallbrowser.html

--dave

lanli_ltp · ‎10-20-2010

I realized that there are some similar use cases like this. Sometimes the PCI DSS audit requires documenting all firewall rule changes in the firewall management life cycle. If I don't have rule change tracking system, I could end up with mapping rule change requests to rules manually. It's exactly what you were trying to do here. This could be difficult for Cisco firewalls because there is no rule index attached to the rule. Tracking rules along revisions could be very difficult.