Hi Guys,
I'm performing a network hardening piece of work and have installed a pair of Cisco 5508's on each of my production sites. I'm migrating Gateway addresses of a dozen or so VLANs to sub-interfaces on the ASAs in order to restrict traffic- all dandy.
All of our large suppliers have provided us with port requirements and I've written ACLs for 90% of our prod systems. The remaining 10% are undocumented and I've been asked to reverse engineer ACLs based on their current traffic flows.
My current working theory is to write a script that integrates the syslogs and gives me a count of connection events to certain IPs, I'll then take a good guess at what to put in the ACL. For example if there's an oven monitor that uploads SNMP data to an app server once an hour, I can allow that traffic and block everything else. Not tidy but gets the job done.
Has anyone ever done this before and has any tips? Anyone know of any existing programs/scripts to help me generate a top down view of traffic flow from syslogs? Anything that can help me keep my sanity?
Cheers guys, you've always been a great help in the past.
No comments:
Post a Comment