This is for all you IP designers who have had to design a secure system with a set of elements communicating over an IP network,
The elements each have multiple interfaces (management, others..) and each element resides in one of many security zones in one of many sites.
The only elements that span security zones are control points, which are usually firewalls. Any IP traffic traversing zones must be whitelisted in only the appropriate control points/firewalls.
An IP flow has a source subnet, port, protocol, host element ID and interface ID, destination host, interface ID and subnet. It also has a primary and secondary path, determined by rules defining which control points they must traverse to reach the destination security zone (which, yes, translates into next-hops ultimately). A flow may need to traverse multiple control points to reach its' destination. A list of IP flows is often called a communications matrix.
I have many dozens of elements needing to talk to each other. It multiplies to many thoussnds of flows. But it's not a full mesh. Each element interface has a particular set of other elements and interfaces it has to reach, and be reached from, according to function (and other factors, like geographical placement).
I need to generate a list of firewall rules that are to be implemented into all the correct firewalls whenever an element is added or changed.
Listing every IP flow on a spreadsheet is unscaleable. Prone to human error. I know this, my sheet is vast.
The spreadsheet could be a final artifact, but it needs to be generated by a tool upon which I can model these elements, their interfaces, their flow characteritics etc. Then when I add s new element to my model, I want to define the sit, its name, interface subnets snd far-end hists I wsnt it to be sbke to resch.. I want the tool to generate the flows from that.
I have no such tool, and don't know of any. Tools abound to discover elements and flows once deployed, but I need a design tool to let me provide these flows before deployment commences.
Has anyone any advice, or knows of a network design tool with such capability?
Thanks for any & all help.
No comments:
Post a Comment