On Sun, May 22, 2005 at 05:03:30PM -0700, Lori Barfield wrote:
> well, i wouldn't limit the solution to an ACL compiler; i'd shoot
> for the whole kit, where the security policy is defined with a strict
> syntax, and that is interpreted to create baseline executable
> configuration instructions for traffic-bearing devices at various
> layers.
>
> plus i'd want the interpreter to create baseline monitoring code
> (for a unix-hosted scripting language). plus i'd want it to spit
> out a documentation template for me so i could iterate and
> catch errors visually, the way people really do architecting.
>
> because network devices interoperate to apply security policy,
> just automating (say) cisco configurations won't catch the
> common oversights that a top-down policy tool could fend off.
> you'd need all the modules to interoperate intelligently.
>
> this is so doable you'd think someone *must* have started a
> thing like this already. (perhaps at a university somewhere?)
>
> i'd pick python.
I didn't - but I'm still working towards a system that can host such a beast.
> anyone else interested?
have a look at bast-EXP in http://trout.me.uk/perl/ - it's my first cut at
an XML + XSLT-based system that should be able to do arbitrary config
generation. The basic unit is a functional transform on URL-space, with chunks
of URL-space mapped to whatever you want (files, databases, devices ...).
There's a bast-discuss list @sourceforge.net already set up, and I'll be
getting a public version control repo and a .sf.net website up within the
next week; I'm a little constrained for time due to also having to do stuff
for clients, and I've been knocked out by a cold for the last week - so
please be patient.
--
Matt S Trout Website: http://www.shadowcatsystems.co.uk
Technical Director E-mail: mst (at) shadowcatsystems.co.uk
Shadowcat Systems Ltd.
References:
|
|
