NetSPoC is a tool for security managment of large computer networks with different security domains.
NetSPoC provides its own language for describing the security policy and topology of a network. The security policy is a set of rules that state which packets are allowed to pass the network and which not. NetSPoC is topology aware: a rule for traffic from A to B is automatically applied to all managed packet filters on the path from A to B.
Currently NetSPoC generates ACLs and static routing entries for
Cisco routers with or without firewall feature set,
PIX firewalls and
Linux iptables and ip route.
It supports network address translation, virtual IP addresses for redundancy protocols like VRRP and some dynamic routing protocols.
IPSec encryption is supported as well. A powerful syntax allows to easily define a large number of crypto tunnels of either a hub and spoke topology or a fully meshed topology. Crypto rules define which type of traffic needs to be encrypted. Crypto configuration for Cisco IOS routers and PIX firewalls is generated.
NetSPoC's text based specification language is well suited for integration with CVS or other version control systems. A script is provided for tagging a policy and saving it to a policy database.
This software is actively developed with perl 5.8 under linux. It should be portable to other platforms where perl is available.
What's New in This Release:
· The rule set can be better adapted to stateful and stateless devices.
· New "automatic" groups can be used for simpler definition of similar rules which affect a large set of objects.
· Loopback interfaces and negotiated interfaces are now supported.
· Support for Cisco VPN 3000 devices has been added, but currently isn't well documented.
· More checks are done to prevent an inconsistent configuration.
· There are many other improvements and some bugfixes.