All releases of 360-FAAR Firewall Analysis Audit and Repair

  •  09 Nov 2012 06:36
Avatar

    Release Notes: This release fixes many of the bugs in the Cisco reader and writer sections. Cisco configurations can now be processed, written, re-read, processed, and written again cyclically. Access lists using proto groups, specifying only protocol details or using "ip/any" services, are now handled. Protocol group objects are written and used in rules for service groups with many different protocol types specified within them. "port-objects" are read in service objects, service groups, and protocol groups alike. The Cisco "echo" default service has been updated to remove TCP and UDP from its listed ports.

    •  05 Nov 2012 22:49
    Avatar

      Release Notes: This release resolves many of the problems with the filter sections; as many of the undefined warnings as the author could find are now fixed. Both the specific and the subnet 'rr' mode filter sections have been upgraded to fix many of the issues related to combining various filter mode types, and as a result, the filters behavior should be much more predictable. The Cisco and od output section definitions now print service defs for all defined prototypes.

      •  01 Nov 2012 17:37
      Avatar

        Release Notes: This release includes much stronger consistency checks against the internal network and service object, and group and rule definitions after each round of processing. The netscreen reader now reads "interface dip" and rule "dip-id" statements and adds appropriate objects and NAT translation rules. Warnings are printed for unknown Cisco object group objects found in policies during the configuration read. NAT SRC DST translations in "rr" mode now support range objects using the range start address only, and network objects are now translated to their network bits only.

        •  29 Oct 2012 04:06
        Avatar

          Release Notes: This release resolves Cisco ICMP default services without printing stringified hash references in the cs output sections. Cisco network and range objects are listed as such in object-groups instead of as hosts. The Cisco output writer uses 'object' in access-lists instead of IP NM, as well as listing range objects using 'range' in access lists as well as groups. The NAT translation now supports SRC NAT translation for known network objects in rr mode filters.

          •  24 Oct 2012 03:10
          Avatar

            Release Notes: This release adds NAT capabilities to the Cisco ASA reader. "static" NAT IP IP NM and access-list statements are now added the NATs table, and policy NAT rules are identified. The < and > range identifiers used in ports are now stripped before printing Netscreen policies in rr mode. Some of the "undefined" warnings have been resolved.

            •  18 Oct 2012 03:10
            Avatar

              Release Notes: This release reads Netscreen interface vip statements and adds them to the NATs table. Further consistency checks have been added to the policy build sections to more easily identify problem objects. The new htmlprintcsv.pl helper script converts 'print' mode output CSV files to HTML. Running the script without arguments displays info.

              •  28 Sep 2012 12:07
              Avatar

                Release Notes: This release cleans the output in the new columns so that specific VPN policy and object negation usage in policies is easier to see. ("Any" VPN rules and negation marked "no" are no longer printed.) The Cisco ASA/PIX reader has been upgraded so it prints more user-friendly info during the configuration read ("safe" warnings are now printed as info) and handles rules using protocol groups far better than before. The cisco configuration reader now also reads negated source and dest services and excludes these from the "rr" mode rulebase builds.

                •  26 Sep 2012 15:50
                Avatar

                  Release Notes: This release further updates the 'print' and 'fltprint' mode spreadsheets to include VPN tunnel usage info and source / destination negation from the policy, as well as "install on" info (most relevant to checkpoint). The version has changed to 0.3 because 'print' modes now include almost all of the "important" details pulled from the configs and logs.

                  •  13 Sep 2012 12:16
                  Avatar

                    Release Notes: This release further updates the NAT analysis capabilities of the script. More information is populated in the NAT columns of the print mode spreadsheets.

                    •  11 Sep 2012 23:39
                    Avatar

                      Release Notes: This release further improves the NAT analysis capabilities of 360-FAAR, the output of which is listed in the six new print mode columns, src, dst, and service, for both the NAT translations which are listed in the logs and in the policy, for each object.

                      Screenshot

                      Project Spotlight

                      episoder

                      A tool to tell you about new episodes of your favourite TV shows.

                      Screenshot

                      Project Spotlight

                      BalanceNG

                      A modern software IP load balancer.