NetSPoC a Network Security Policy Compiler v3.2 released
NetSPoC is a tool for security managment of large computer networks with different security domains. It generates configuration files for packet filters controlling the borders of security domains.
NetSPoC provides its own language for describing the security policy and topology of a network. The security policy is a set of rules that state which packets are allowed to pass the network and which not. NetSPoC is topology aware: a rule for traffic from A to B is automatically applied to all managed packet filters on the path from A to B.
Currently NetSPoC generates ACLs and static routing entries for
- Cisco routers with or without firewall feature set,
- Cisco ASA and PIX firewalls,
- Linux iptables and ip route.
It supports network address translation, virtual IP addresses for redundancy protocols like VRRP and some dynamic routing protocols.
IPSec encryption is supported as well. Crypto configuration for Cisco IOS routers and ASA firewalls is generated.
NetSPoC’s text based specification language is well suited for integration with CVS or other version control systems. A script is provided for tagging a policy and saving it to a policy database.
This software is actively developed with perl 5.12 under linux. It should be portable to other platforms where perl is available.
New features v3.2:
- Support for Cisco ASA devices as packet filter, as VPN gateway and for LAN-to-LAN IPSec tunnels.
- Support “easy VPN” at Cisco VPN clients.
- Generated chains for Linux iptables are highly optimized now. Deeply nested chains are generated to minimize the number of tests for each checked packet.
- Support port address translation (PAT) to an interface for PIX and ASA