I am searching for a flow-based policy editor / configuration generator suitable for use with PIX.
For example, I would like to be able to say that group A in PIX#1 can initiate SMTP connections to group B in PIX#2, and I would like the editor to have the smarts to know that that would mean that SMTP must be opened outwards on PIX#1 -and- that SMTP must be opened inward on PIX#2.
Even better: if I say that group A in PIX#1 can initiate connections to a UDP port at group B on PIX#2 (oh, say UDP 518, ntalk), then as well as the obvious outward/inward ACL entries, the editor should have the ability to automatically generate the -reversed- entries to allow for the connection to resume after UDP timeouts. For example,
access-list pix1_outwards permit udp object-group pix1_A object-group pix2_B eq
518 access-list pix2_inwards permit udp object-group pix1_A object-group pix2_B eq 518 access-list pix1_inwards permit udp object-group pix2_B eq 518 object-group pix2_A access-list pix2_outwards permit udp object-group pix2_B eq 518 object-group pix2_AThe editor would ideally also know that if PIX#1 and PIX#2 are marked as connectable via VPN, that if necessary the appropriate crypto map entries should be generated, and that the crypto map match address ACL should if necessary be updated to allow the flow.
The editor would, if I were fortunate, also know all about NAT and about allowed NAT exemptions, and would know to generate statics for outside access inward (and to skip the statics if all the access was over nat-exempted VPNs). In generating the statics and ACLs it would be good if it took into account how each location appears to the other. In the example above, if the objects in pix1_A were nat'd on the way out of PIX#1 towards PIX#2, then the outside ACL for PIX#2 (pix2_inwards in the above) should know to use the nat'd address rather than the internal address... unless nat exemption was in effect. [I could live without it knowing about policy NAT, at least for a couple of software releases.]
And if the editor was able to handle VPN relaying (send traffic from A to C via B so as to avoid a filter between A and C), I'd be a happier camper.
I have been evaluating CiscoWorks VMS (VPN Management Solution), and it does not do any flow management. One can define objects and have them apply to hierarchies of groups, but when one wants A to reach B, one has to click in the ACL entries against A and then go and click in the ACL entries against B.
Cisco used to have CSM (Cisco Security Manager) but I believe that was discontinued... and it was certainly a nuisance to move subnets around in.
My goal is to drastically reduce inconsistancies between the configurations of our (mostly meshed) PIXes. We have somewhere over 100 internal flows, and over 1000 total flows (dang distributed Exchange servers), and when I add a new flow then I would rather not have to go through the O(N^2) adjustment process that can result.
I wrote a config generation tool (almost completely in C Preprocessor!) which took me some time to get going right... but I'm the only one that understands it, and it is rule based rather than flow based so it doesn't know to generate matching or reversed flows automatically. The tool is -helping- but it still means looking through thousands of lines of config... and making the inevitable typos...