Policy compiler for Cisco IOS ASL

Firewall Builder for Cisco IOS ACL: Overview

Key features:

  • designed for complex access lists
  • can control access lists of multiple routers from the central management station
  • utilizes object-oriented approach to the ACL design
  • simplifies policy design
  • the same set of objects that describe hosts, networks and protocols can be used to build firewall policy (Cisco PIX or any of the Open Source firewalls such as iptables, ipfilter, pf or ipfw) and router access lists
  • Firewall Builder GUI can import existing access list configuration from a file saved using "show run" or similar command.

Firewall Builder for Cisco IOS Access Lists completes set of tools designed to manage multi-tiered network security system. With it, you can use the same Firewall Builder GUI and objects database to build firewall policies for Cisco PIX or Open Source firewalls such as iptables, pf, ipfilter or ipfw, and in addition to that create and manage router access lists.

The compiler generates extended ACLs using "ip access-list extended" command. ACL names are automatically generated using abbreviated interface names and direction symbols to make it easy to figure out which ACL is which. Compiler uses rather minimal set of options of the "ip access-list" command and should generate code that will work for IOS 12.x. I did not test with 11.x but I am pretty sure it will work, at least with the latest versions of 11.x.

Firewall Builder for Cisco IOS ACL can also add commands to configure logging.

The GUI includes built-in installer for routers which works just like installer for PIX. Both installers were updated however to improve support for the automatic roll-back feature in case you lose connect with the firewall or the router because of an error in the policy. Now you can make installer schedule reboot in a few minutes, then upload new policy or ACLs and then cancel reboot if upload was successful. All this happens autmatically and guarantees that communication with the router is maintained even if an error has been made while designing access list rules.

All three installation methods that were available for PIX are now available for routers: you can make it clear all access lists and then load new ones or just update access lists without clearing. In addition to those methos, the last method (the "safety net" method) creates temporary acl to permit communication with the management station, assigns it to the interface marked as management interface, then clears all access lists and loads new ones and in the end swaps proper list on the management interface. This helps prevent locking yourself out of the router in the middle of the installation process in case of an error in the ACL and at the same time does not leave the router with no acls for the time it takes to install new policy. In combination with automatic roll-back, installation process is pretty reliable.

Firewall Builder works on all major Linux distributions, FreeBSD, Windows 2000 and XP, as well as Mac OS X.


More screenshots and slideshow
As of Firewall Builder v2.1.18, Firewall Builder for Cisco IOS ACL has been released under GPL and included in the main package together with other policy compilers and the GUI.

Summary of Features

Support for Cisco IOS access lists in Firewall Builder v2.1.12, build 270:

Features implemented in this version:
  • The compiler generates extended ACLs using "ip access-list extended" command. ACL names are automatically generated using abbreviated interface names and direction symbols to make it easy to figure out which ACL is which. Compiler uses rather minimal set of options of the "ip access-list" command and should generate code that will work for IOS 12.x. I did not test with 11.x but I am pretty sure it will work, at least with the latest versions of 11.x.
  • Compiler can also add commands to configure logging.
  • The GUI includes built-in installer for routers which works just like installer for PIX. Both installers were updated however to improve support for the automatic roll-back feature in case you lose connect with the firewall or the router because of an error in the policy. Now you can make installer schedule reboot in a few minutes, then upload new policy or ACLs and then cancel reboot if upload was successful. While before auto-rollback option was only available if you installed in the test mode, now you can always use it. Test mode means that installer does not save configuration in the permanent memory, as before.
  • All three installation methods that were available for PIX are now available for routers: you can make it clear all access lists and then load new ones or just update access lists without clearing. The last method (the "safety net" method) creates temporary acl to permit communication with the management station, assigns it to the interface marked as management interface, then clears all access lists and loads new ones and in the end swaps proper list on the management interface. This helps prevent locking yourself out of the router in the middle of the installation process in case of an error in the ACL and at the same time does not leave the router with no acls for the time it takes to install new policy. In combination with automatic roll-back, installation process is pretty reliable.
  • New option has been added to the interface object, called "unprotected". This allows you to mark some interfaces to be skipped by the compiler when it picks interfaces for ACL rules. This should be useful when you have routers with many interfaces and only want to add ACLs to some of them. Also, you can explicitly put interface objects into policy rules and specify direction if you want to do this manually.
  • Since router ACLs have no state, all rules should be created in the policy pretty much like you do it on the router, including rules that permit reply packets. New option has been added to the TCP Service object, called "established". This makes compiler use option "established" in rules it generates if it is supported by the firewall platform. Compilers for iptables, ipfilter, pf and PIX can not use objects with this option and treat it as an error because corresponding platforms do not support it. IPFW, on the other hand, supports it so compiler fwb_ipfw can use it.
Shortcomings of this version:
  • "tos", "precedence" and "time-range" options are not supported
  • "igmp" access lists can no be generated
 

Copyright © 2000-2008 NetCitadel, LLC. All rights reserved.
  Free CSS Templates.