Network Security Policy Compiler: Netspoc

2016-01-13T03:23:12
ID N0WHERE:76136
Type n0where
Reporter N0where
Modified 2016-01-13T03:23:12

Description

Netspoc is free software to manage all the packet filter devices inside your network topology. Filter rules for each device are generated from one central ruleset, using a description of your network topology.

Netspoc generates ACLs and static routes for a given network policy, consisting of a set of services and a network topology. It does so by finding all paths inside the network topology for a certain source and destination pair specified in a rule from the service set. It is important to notice, that the network topology best fed to Netspoc is not necassarily an exact copy of the real network. Instead, the input topology should be a model of the network that provides just as much information as needed for Netspocs purpose. For example, complex parts of the network with dynamic routing and without filtering are not affected by Netspoc at all. They should therefore be replaced in the input topology by a single unmanaged router. This saves time and space during compilation and is easier to maintain. In very complex network topologies, even constellations may occur where it is suitable to include parts of the network twice to reduce complexity. As long as the ACLs and static routes are not affected, that would also provide a valid model of the network.

When the abstract topology model created by the user is handed over to Netspoc, Netspoc takes several steps to transform it into a graph representation to work on. As before, this representation is not designed to reproduce reality, but to represent those aspects of the topology that are important for generating ACLs and static routes. Moreover, these aspects are modeled to allow completing these tasks as efficiently as possible.

Netspoc is targeted at large environments with a large number of firewalls and admins. Firewall rules are derived from a single rule set.

  • Supports Cisco and Linux devices
    • Chains for iptables.
    • Access lists for ASA, PIX, NX-OS
    • Access lists for IOS with and without Firewall Feature Set.
  • Rules are optimized globally
    • Adjacent IP ranges and port ranges are joined.
    • Redundant rules are removed and optionally warned about.
  • Highly optimized chains for iptables are generated.
  • Object-groups for ASA, PIX and NX-OS are generated.
  • IPSec configuration for Cisco ASA, ASA v8.4 and IOS is generated.
  • Commands for static routing are generated (optionally).
  • Network address translation (NAT) is supported.
  • NAT configuration for Cisco ASA and ASA v8.4 is generated.
  • HSRP / VRRP clusters are supported.
  • Multicast traffic for OSPF, EIGRP, HSRP, VRRP is supported.
  • Powerful rules language
    • Groups can be defined and reused in different rules.
    • Automatic groups utilize relationships of the topology.
  • Allows to define a secondary packet filter which gets simpler rules if a data stream has already been filtered at some other device.
  • Complex topologies with redundant paths are supported.
  • Pathrestrictions allow to restrict paths inside a redundant topology.
  • Supports network with isolated ports where traffic is entered and exited at the same interface of the packet filter.

Network Security Policy Compiler: Netspoc documentation

Network Security Policy Compiler: Netspoc download