The Network Security Policy Compiler (NetSPoC) is a tool for security management of large computer networks with different security domains. It generates configuration files for packet filters controlling the borders of security domains. It provides its own language for describing security policy and the topology of a network. The security policy is a set of rules that state which packets are allowed to pass the network and which are not. NetSPoC is topology aware; a rule for traffic from A to B is automatically applied to all managed packet filters on the path from A to B.
|Tags||Networking Firewalls Security|
|Operating Systems||OS Independent|
The website of Netspoc has been moved to github.
Documentation is on the way to be rewritten.
Some new versions have been released already.
Release Notes: Generated code for Linux iptables is highly optimized now. Deeply nested chains are used to minimize the number of tests for each checked packet. Support has been added for Cisco ASA devices as packet filter, VPN gateway, and for LAN-to-LAN IPSec tunnels. A new option to generate outgoing access lists has been added. Many other improvements and bugfixes have been applied.
Release Notes: The rule set can be better adapted to stateful and stateless devices. New "automatic" groups can be used for simpler definition of similar rules which affect a large set of objects. Loopback interfaces and negotiated interfaces are now supported. Support for Cisco VPN 3000 devices has been added, but currently isn't well documented. More checks are done to prevent an inconsistent configuration. There are many other improvements and some bugfixes.
Release Notes: IPSec encryption is supported now. A new concept of areas was introduced. An area denotes a part of the topology which is delimited by a set of interfaces. The IP address and mask of networks may alternatively be declared as an IP address and a prefix length. Some network objects get an optional attribute "owner" which is used for documentation purposes. Optimization has been improved by automatically joining rules with adjacent port ranges. Netspoc now runs on 64-bit systems.
Release Notes: This release fixes a bug in local optimization, where some deny rules could inadvertently be marked as redundant, leading to missing ACLs for these rules in generated code. A second bug with automatically generated rules at stateless packet filters has also been fixed. For TCP, reverse deny rules no longer generated.
Release Notes: PIX commands like "icmp" and "telnet", which filter traffic for the device itself, are generated now. There was a syntax error with IOS routers when applying an access list to an interface. This has been fixed.