In terms of ACL compilers, has anyone looked at Firewall Builder? It
looks to have a general XML format that defines the policy (although at
a low-level, in terms of ports and devices), along with translators
from the XML format into implementation-specific configuration
statements.
http://www.fwbuilder.org/
I've also seen the same thing done in a commercial product where not
only the firewall configuration, but the entire device configuration
was specified in an XML language that was translated to operating
system-specific configurations (for multiple OSes, even). The XML
configurations were per-device, not per-network, however.
- djg
On May 24, 2005, at 11:58 AM, Cat Okita wrote:
> On Sun, 22 May 2005, Lori Barfield wrote:
>> well, i wouldn't limit the solution to an ACL compiler; i'd shoot
>> for the whole kit, where the security policy is defined with a strict
>> syntax, and that is interpreted to create baseline executable
>> configuration instructions for traffic-bearing devices at various
>> layers.
>
> Heh. I floated that idea by on firewall-wizards a while back, and it's
> really not at all a trivial problem or an easy solution.
>
> Each device and vendor uses slightly different syntax, and producing
> an agreeable meta-language is a right pain in the keister.
>
> cheers!
> =======================================================================
> ===
> "A cat spends her life conflicted between a deep, passionate and
> profound
> desire for fish and an equally deep, passionate and profound desire to
> avoid getting wet. This is the defining metaphor of my life right
> now."
>
Follow-Ups:
References:
|
|
