First apologize for my ignorance.
Does anybody have an idea about one or more tools
that could control firewall "integrity" ?
I explain a little more.
For example we could have a site with multiple routers and access list
in every one. So a tool with :
* knowledge of the network ( Topology database , group composition, ...)
* group security policy (i.e. group general rights,stations with specials
rights, rights beetween groups : all based upon IP services and
more widely other services of other protocols like appletalk and IPX)
* network testing abilities.
* syslog analysis abilities.
I have been heard about SATAN or ISS . It seems that this tools work on
system security from the network. My mind is to test if the rules in the acls
are mutually coherent and then really test each authorized (and non) link .