http://www.cs.brown.edu/~sk/Publications/Papers/Published/nbfdk-margrave-firewall/Q:Hello,
Do we have a tool for analyzing Cisco ASA/PIX and router config files? The client has a 2500 line config, and I would like to be able run some reports on the configuration.
Thanks, A:, There are several audit tools with different features. The most common features in these tools are:
Rule Analysis to detect security holes in the configuration (e.g. allow any)
Configuration Analysis to find duplicate/overlapping unnecessary setting/rules/object
Logfile analysis to find most used rules objects
Rulebase analysis to find unused/unconsolidated objects rules
Simulation of changes.
Risk Analysis
Access Analysis using multiple firewall rules (Can Point A reach at Point B using service C)
Workflow automation
Backup management
Normalization of different firewall rules (e.g. Cisco Juniper Check Point on the same format)
Change Management
Regular Log Analysis
Of course, it is not possible to find all features on all solutions. Firewall vendors do also provide several tools to make audits easy.
That being said, I have seen 2 freeware config audit tools for Cisco (RAT and Nipper)
http://www.titania.co.uk/ Nipper
http://ncat.sourceforge.net/ RAT
Commercial Area is more active and they usually cover the known suspects (Check Point, Juniper, Cisco, Fortinet):