Tuesday, August 21, 2007

Firewall Configs for your Manager - pix2xls

If you have got Cisco Pix 7 firewalls and you'd like to have an easy to read spreadsheet to give an auditor, show your manager, or bring to firewall review meetings then this is a good tool for you (download here). Alternatively, if you are a firewall administrator and have a tough time figuring out if you need to add a new object-group or if you have one you can reuse, this can be a useful program. Pix has names, service groups, network objects, port ranges, network ranges... sometimes its just kooky trying to figure that all out on the command line. Here are the bullet points -

  • goes through a repository of configs and puts all the firewall rules into a nice spreadsheet with a tab for each firewall

  • for each rule, it actually shows you the hostnames and IPs of each group member

  • for service groups, it looks in /etc/services for the name of the service rather than just listing the port

  • descriptions of each group are put into those little cell note things, so you can just hover over to see more details

  • disabled rules show as grayed out

  • it actually works (unlike other cpan modules I tried to use to parse pix)

This program I actually like because it does a whole lot in a fairly easy to understand way. There is potential here beyond writing a spreadsheet. All of the rules are broken out into a decent data structure, so it would be simple to use this as a starting point for writing a script to convert your ruleset to Netscreen or something. To use the spreadsheet features this will require the Spreadsheet::WriteExcel module, but if you just want to parse pix it's plain old perl.

As a quick offshoot of this script I made this script that uses List::Compare to look at the differences between firewalls in two sites. It also shows lists of unused names and unused object groups for cleanup purposes.

A feature that I started implementing was the ability to do rule shading detection. Lets say rule one is deny any any and rule two is permit any any - clearly rule one makes any subsequent rule useless and misleading. You Check Point people or fwbuilder folks have had this for a long time - but as far as I know in the Check Point and Netscreen world it seems like there is no such function. Alas I never finished that part.

If you use this please drop a comment and let me know.