NetSPoC
The Network Security Policy Compiler (NetSPoC) is a tool for security management of large computer networks with different security domains. It generates configuration files for packet filters controlling the borders of security domains. It provides its own language for describing security policy and the topology of a network. The security policy is a set of rules that state which packets are allowed to pass the network and which are not. NetSPoC is topology aware; a rule for traffic from A to B is automatically applied to all managed packet filters on the path from A to B.
| Tags | Networking Firewalls Security |
|---|---|
| Licenses | GPL |
| Operating Systems | OS Independent |
| Implementation | Perl |
Recent releases
- 03 Jan 2008 02:33
Changes: The rule set can be better adapted to stateful and stateless devices. New "automatic" groups can be used for simpler definition of similar rules which affect a large set of objects. Loopback interfaces and negotiated interfaces are now supported. Support for Cisco VPN 3000 devices has been added, but currently isn't well documented. More checks are done to prevent an inconsistent configuration. There are many other improvements and some bugfixes.
- 18 Sep 2005 02:56
Changes: IPSec encryption is supported now. A new concept of areas was introduced. An area denotes a part of the topology which is delimited by a set of interfaces. The IP address and mask of networks may alternatively be declared as an IP address and a prefix length. Some network objects get an optional attribute "owner" which is used for documentation purposes. Optimization has been improved by automatically joining rules with adjacent port ranges. Netspoc now runs on 64-bit systems.
- 05 May 2005 20:05
Changes: This release fixes a bug in local optimization, where some deny rules could inadvertently be marked as redundant, leading to missing ACLs for these rules in generated code. A second bug with automatically generated rules at stateless packet filters has also been fixed. For TCP, reverse deny rules no longer generated.
- 15 Feb 2005 22:31
Changes: PIX commands like "icmp" and "telnet", which filter traffic for the device itself, are generated now. There was a syntax error with IOS routers when applying an access list to an interface. This has been fixed.
- 03 Feb 2005 20:38
Changes: Support of redundancy protocols (VRRP, HSRP) has been enhanced. Other minor improvements have been made.
