Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: "Network Mom ACL Analyzer" finds errors, matches, and duplicates in Cisco ACLs - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
"Network Mom ACL Analyzer" finds errors, matches, and duplicates in Cisco ACLs
I'm pleased to announce that my new tool, "Network Mom ACL Analyzer", is now in the MacOS 10.14 App Store.

Key features:
1) Finds syntax errors, wildcard bits that do not match a netmask, and subnets that are not on a bit boundary.
2) Given a specific TCP or UDP socket and an ACL, it finds lines in the ACL that match the socket.
3) It analyzes an ACL to find "duplicate" lines. A "duplicate" is where the earlier line in the ACL matches a strict superset of the later line. Whether that is because the later line is not needed, or because the earlier line is "too broad", is for you to evaluate.

As of July 2019 the tool analyzes IPv4 security ACLs for the following Cisco variants:

1) IOS (without object groups)
2) IOS-XR (with object groups)
3) NX-OS (with object groups)
4) ASA (with network object-groups but not service object-groups)

IOS-XE and IPv6 are under active development.

For the security of your ACLs, the tool went through Apple app review and uses Apple's "app sandbox" and "hardened runtime" features. The sandbox is configured to not allow inbound or outbound network connections. File access (outside the sandbox) is read-only and only as requested by the user. The tool does not even save ACL information between runs.

I am charging a nominal fee ($10) on the MacOS App Store. Basically, if you use my 10,000 lines of Swift source code, you're buying me lunch!

Darrell Root
CCIE #8302 Emeritus
DarrellRoot

4 Posts

Sign Up for Free or Log In to start participating in the conversation!