topic Re: Access List Analyser/Auditor in Network Security

Access List Analyser/Auditor

williamsryan — Fri, 21 Feb 2020 12:39:18 GMT

Hi All,

I have recently started in a new comany as its senior network engineer and have inherited a mess of Access Lists on Cat 6513s / ASAs and PIXs. Some of the ACLs on the 6513 have over 1000+ lines plus each and there are loads of them, and I know for a fact that they contain duplicate entries or entries that are negated by a ip any any or similar in the middle of the ACL.

So I was wondering if anybody knows of a useful available tool that will take an imported ACL by a text file for instance, analyse that ACL and highlight any duplicate or negated ACL Entries. This would save me a headache from sifting through each ACL line by line. one ACL for example has 3000+ lines.

Any Help would be appreciated.

Thanks

Access List Analyser/Auditor

Tagir Temirgaliyev — Tue, 29 May 2012 10:48:53 GMT

most useful available tool is 2 notepads on 2 different monitors

dont forget to rate post

Re: Access List Analyser/Auditor

steffen.buehnemann — Thu, 31 May 2012 10:05:25 GMT

Check out this Page, there are some Analyzing Software listed:

http://www.filebuzz.com/findsoftware/Access_List_Analyzer/1.html

Or u can try Notepad++ there you can with a compare Plugin wonderful compare things.

Re: Access List Analyser/Auditor

afunk — Tue, 14 Nov 2017 17:16:02 GMT

I feel your pain. You might try the GUI (ASDM) to see if that helps parse through the hundreds of lines of rules. It will take a while regardless, but this method might speed up the process as you can click on objects to gather info as opposed to the CLI method. I'm a CLI guy, but sometimes the GUI is faster.

Re: Access List Analyser/Auditor

GSA — Fri, 27 Apr 2018 05:39:54 GMT

https://www.youtube.com/watch?v=G-Pk4mt-3eg

It's my program. Beta version.

So far, only in Russian.
If it is in demand, I will translate it into English in the future.

Re: Access List Analyser/Auditor

Marvin Rhoads — Fri, 27 Apr 2018 14:54:22 GMT

Cisco Security Manager and Tufin come to mind.

https://www.cisco.com/c/en/us/products/collateral/security/security-manager/datasheet-C78-737182.html

https://www.tufin.com/solutions/firewall-optimization

SolarWinds recently discontinued Firewall Security Manager (former Athena Firepac product) which also did a great job at this.

Re: Access List Analyser/Auditor

daroot — Sun, 28 Jul 2019 00:31:06 GMT

I recently released "Network Mom ACL Analyzer" in the MacOS 10.14 App Store.

It supports analysis of IPv4 security ACLs for the following OS flavors:

1) IOS (without object-groups)

2) IOS-XR (with object-groups)

3) NX-OS (with object-groups)

4) ASA (with network object-groups, but not service object-groups)

It has the following features:

1) ACL syntax check

2) Reports wildcard bits that do not match a proper subnet as an error

3) Warns about CIDRs that are not on a bit boundary

4) Analyzes a specific TCP/UDP socket against an ACL to find lines that match

5) Duplicate ACL detection! Finds lines in the ACL which are a strict superset of later lines.

It can perform a permit/deny analysis of a specific socket against a 50,000-line ACL in under 20 seconds (reasonably sized ACLs are analyzed "instantly").

Duplicate ACL detection takes 3 seconds (on a 2013 iMac) for a 2,000-line ACL. As the number of lines doubles the processing time quadruples (it analyzed a 10,000-line ACL for duplicates in a couple of minutes).

For the security of your ACLs, the tool passed Apple app review and uses Apple's app sandbox and hardened runtime features. The analyzer is not allowed to make or receive network connections. It does not save ACL information between application runs. It can only open files outside the sandbox that the user specifies. Files are always opened read-only. The tool is implemented in the Swift programming language.

Darrell

CCIE Emeritus #8302