solarwindsthwackgeek speak

Tweets from the Head Geek

New Blog Post - Ten Technologies Every Network Administrator Should Know. #7 - SNMP - http://bit.ly/9u6HoN

17 hours ago

Follow me on Twitter »
Geek Speak Blog
There's no place like 127.0.0.1
5 Nov 2008

Updating and Maintaining ACLs

by: Josh Stephens  |  Filed Under: Careers & other Craziness
Comments (3) | Trackbacks (2)

For those of us that maintain device configurations that include Access Control Lists (ACLs), we know what a huge chore this can be and how bad things can go if you make even one simple mistake. I myself have had to put someone on a plane to fly out to a router that I locked myself out of with a bad ACL and have many times had to call someone that was physically located at one of my remote sites to power cycle a router and restore it to the saved config. Not the best way to spend a Saturday night, I assure you...

Fortunately, there are some really cool tools available to make this a little easier. The Engineer's Toolset that we offer here at SolarWinds includes a tool called the "Cisco Config Viewer". With the Config Viewer you can download and view the config from a Cisco router, switch, or firewall; edit the config; and then push the updated config back to the device. Since it does the config uploads via a TFTP copy vs. CLI you don't have to take out the old ACL in order to make the changes. This is a huge advantage over doing it the old fashioned way and, as always, you can download a fully functional copy of the Engineer's Toolset from the SolarWinds.Com website.

Cisco also has a tool called ASDM or the "Adaptive Security Device Manager". This tool simplifies the configuration tasks required for configuring Cisco PIX firewalls and ASAs. If you're not familiar with how these devices are supposed to be configured then this is a good choice to help you get started. You can also download ASDM directly from that same page.

Athena Security also has a new application called "Athena FirePAC". FirePAC is cool because it evaluates the ACLs on your Cisco PIX and ASA, Juniper NetScreen, and Checkpoint firewalls and tells you where you've left holes or where you've duplicated functionality. I had the opporutnity to meet with one of their founders and one of their main developersa a few weeks ago and get a detailed walk thru of the product. Definitely something you should check out. You can download a free evaluation version directly from their website.

Check out these tools and ping me back if you know of any other good tools for managing ACLs.


Flame on...
Josh
Follow me on Twitter

 

Comments (3)  |   | 
| More
Sign In or Join and Add a Comment!

3 Comments

cmeid
6 Nov 2008 at 5:44AM CST

http://www.skyboxsecurity.com/?CategoryID=163 is the gold standard. but be prepared for the 40K starting price.

mstevens
12 Nov 2008 at 7:01PM CST

Thats a great find for checking the PIX. Im gonna try it on our Edge PIX box since it has grown so large.

jswan
13 Nov 2008 at 12:14PM CST

You don't actually have to remove the old ACL in order to change it. IOS has had in-line ACL editing for a while now. I decided to make a blog post of my own on this:

unroutable.blogspot.com/.../in-line-editing-of-cisco-acls.html

2 Trackbacks

Inside the Firewall » Blog Archive
10 Dec 2008 at 6:16PM CST

Pingback from  Inside the Firewall  » Blog Archive

Updating and Maintaining ACLs
16 Dec 2008 at 2:14PM CST

Pingback from  Updating and Maintaining ACLs

« PREVIOUS POST
3 Nov 2008
What really fuels this...
NEXT POST »
6 Nov 2008
Password Safe


« PREVIOUS POST
3 Nov 2008
What really fuels this...
 
NEXT POST »
6 Nov 2008
Password Safe



RECENT POSTS


FIND