Firewall Builder for Cisco IOS Access Lists completes set of tools designed to manage multi-tiered network security system. With it, you can use the same Firewall Builder GUI and objects database to build firewall policies for Cisco PIX or Open Source firewalls such as iptables, pf, ipfilter or ipfw, and in addition to that create and manage router access lists.
The compiler generates extended ACLs using "ip access-list extended" command. ACL names are automatically generated using abbreviated interface names and direction symbols to make it easy to figure out which ACL is which. Compiler uses rather minimal set of options of the "ip access-list" command and should generate code that will work for IOS 12.x. I did not test with 11.x but I am pretty sure it will work, at least with the latest versions of 11.x.
Firewall Builder for Cisco IOS ACL can also add commands to configure logging.
The GUI includes built-in installer for routers which works just like installer for PIX. Both installers were updated however to improve support for the automatic roll-back feature in case you lose connect with the firewall or the router because of an error in the policy. Now you can make installer schedule reboot in a few minutes, then upload new policy or ACLs and then cancel reboot if upload was successful. All this happens autmatically and guarantees that communication with the router is maintained even if an error has been made while designing access list rules.
All three installation methods that were available for PIX are now available for routers: you can make it clear all access lists and then load new ones or just update access lists without clearing. In addition to those methos, the last method (the "safety net" method) creates temporary acl to permit communication with the management station, assigns it to the interface marked as management interface, then clears all access lists and loads new ones and in the end swaps proper list on the management interface. This helps prevent locking yourself out of the router in the middle of the installation process in case of an error in the ACL and at the same time does not leave the router with no acls for the time it takes to install new policy. In combination with automatic roll-back, installation process is pretty reliable.
This software works on all major Linux distributions, FreeBSD, Mac OS X, as well as Windows 2000 and XP.
Here are some key features of "Firewall Builder for Cisco IOS ACL":
· designed for complex access lists
· can control access lists of multiple routers from the central management station
· utilizes object-oriented approach to the ACL design
· simplifies policy design
· the same set of objects that describe hosts, networks and protocols can be used to build firewall policy (Cisco PIX or any of the Open Source firewalls such as iptables, ipfilter, pf or ipfw) and router access lists
· Firewall Builder GUI can import existing access list configuration from a file saved using "show run" or similar command.
What's New in This Release:
· Starting with this version, Firewall Builder for IOS ACL has been released under the GPL and became a part of the main Firewall Builder code tree and binary packages.