firewall rules 分析工具

我是条汉子

http://www.cs.brown.edu/~sk/Publications/Papers/Published/nbfdk-margrave-firewall/Q:Hello,
Do we have a tool for analyzing Cisco ASA/PIX and router config files? The client has a 2500 line config, and I would like to be able run some reports on the configuration.
Thanks,
A:, There are several audit tools with different features. The most common features in these tools are:

• Rule Analysis to detect security holes in the configuration (e.g. allow any)
  
• Configuration Analysis to find duplicate/overlapping unnecessary setting/rules/object
  
• Logfile analysis to find most used rules objects
  
• Rulebase analysis to find unused/unconsolidated objects rules
  
• Simulation of changes.
  
• Risk Analysis
  
• Access Analysis using multiple firewall rules (Can Point A reach at Point B using service C)
  
• Workflow automation
  
• Backup management
  
• Normalization of different firewall rules (e.g. Cisco Juniper Check Point on the same format)
  
• Change Management
  
• Regular Log Analysis
  

Of course, it is not possible to find all features on all solutions. Firewall vendors do also provide several tools to make audits easy.

That being said, I have seen 2 freeware config audit tools for Cisco (RAT and Nipper)
http://www.titania.co.uk/ Nipper
http://ncat.sourceforge.net/ RAT

Commercial Area is more active and they usually cover the known suspects (Check Point, Juniper, Cisco, Fortinet):

http://www.tufin.com SecureTrack, SecureChange Workflow
http://www.algosec.com Firewall Analyzer, FireFlow
http://www.securepassage.com Firemon
http://www.manageengine.com Firewall Log Analyzer
http://www.skyboxsecurity.com/ CertiFire, Firewall Analysis
http://www.redseal.net/ Redseal Vulnerability Advisor
http://www.athenasecurity.net FirePac, Verify

Let me know if you have a specific question.
cheers,
- yinal