A tool for analyzing firewall rules
To launch the springbok project you need to have:
apt-get install python-gtk2 python-networkx python-matplotlib python-reportlab python-netaddr pip install graphviz
You can import your script configuration file or the output of the iptables-save command.
In order to import iptables configuration files, you must concatenate the output of the ifconfig command with your configuration file :
ifconfig | cat - my_iptables.conf > /tmp/out && mv /tmp/out my_iptables.conf
Start to import a configuration file
File → Import configuration.
You can select multiple files. For each file the tool will try to detect the equipment type.
Once the import finished, the tool launches the construction of ROBDD, which may decrease temporarily the performance of the tool. But don't worry, it won't block the software. In fact, the operation is launched in a thread.
You can open saved project
File → Open project.
Once again, the tool launches the construction of ROBDD.
You can save the state of the current project
File → Save project.
After importing files, the tool draws the network topology. You can interact with all elements. The elements can be moved and you can zoom in or out using your mouse scroll or the zoom bar at the bottom of the zone. The "Redraw" button redraws the topology. If you double click on an element a default action is launched.
When you right click on a firewall a popup menu appears and you can:
When you right click on a node a popup menu appear and you can:
When you right click on an edge a popup menu appear and you can:
When you right click on the background a popup menu appear and you can:
Masked rules: The rule will not match any packets and action defined by the rule will never be taken.
Partially masked rules: The rule matches some packets that have already been matched.
You can launch the internal detection of a firewall by clicking on it
Right click → Detect anomaly.
The internal detection will take each ACL of the firewall individually and will check for anomalies between the rules. The 'Deep search' option enables you to have all blamed rules on an anomaly. However, this option will take too much time to perform.
You can launch the distributed detection of all firewalls by clicking on the menu
Audit → Distributed detection.
The distributed detection will construct rooted tree for each pair of network and will check for anomalies along the path. The 'Deep search' option enables you to have all blamed rules on an anomaly. However, this option will take too much time to perform.
You can seek for a path between two networks. To start a search:
Right click on a network → Itinerary from this place
Right click on a network → Itinerary to this place
Then a popup shows up and you can specify:
You can leave a field empty to not take it into account.
If paths are found, you will be able to select a path in the right lateral pane.
You can import a query file to launch multiple query requests
Audit → Import query file.
Each query must be separated with a single line of two hyphens.
The syntax is the following (if you don't want to specify a field just delete it):
protocol : protocol_value ip-source : ip_value [optional_mask_value] port-source : port_value ip-destination : ip_value [optional_mask_value] port-destination : port_value
You can export result of the following tabs
Audit → Export result:
The Springbox cli is a small script using springbok's module to export equipment ACL to an unified csv format.
python springbox_cli.py [OPTION]... [FILE]
Usage: ./springbox_cli.py [OPTION]... [FILE] Parse firewall configuration files (Cisco Asa, JuniperNetscreen, Fortinet Forigate) and export parsed rules to csv format. Create a folder tree of the configuration ACL (springbok_rulesXXXXXX)
-h, --help show this help -n, --no-confirm no confirmation on the device detected
Example: ./springbox_cli.py -n cisco_example1.conf cisco_example2.conf