Access lists are a necessary evil of security. As much as we want to believe that the new world of machine learning (ML) and artificial intelligence (AI) are going to change the way that we think about security, the fact of the matter is that the simple access list is the quickest way of determining how is allowed to go where and who is denied from doing the same.
But access lists can be cumbersome. Every new entry in a list can cause problems. Every old access control entry (ACE) is a potential problem waiting to happen. The interaction between old and new can be a huge issue. This is especially true on firewalls like the Cisco ASA. In the past, the only reliable way to determine if an ACE is being trigged is to log the entire access control list (ACL) and hope for the best. But what if one of those important rules is only trigged occasionally? And how can we strip out the unnecessary lines without breaking everything?
Insightful Investigation
Enter SolarWinds Network Insight for Cisco ASA. SolarWinds Network Insight has already done a masterful job of helping untangle F5 BIG-IP application delivery controllers. The same tool is also available to help unwind the issues with Cisco ASA firewalls.
One of the key features of Network Insight for Cisco ASA is the ability to analyze complicated access lists and determine exactly what they are doing. Network Insight can detect the hit counts for each ACL and ACE and tell you which ones are trigger the most. They can also detect when one ACE is overriding another and short circuiting the processing of packets. This is especially important when the ACL for a firewall grows to hundreds of entries, or thousands in some cases.
With Cisco ASAs, named object groups can create even more confusion. Network Insight gives you the ability to decode those object groups and ensure the packets are being processed correctly. It can also detect so-called “shadow” rules, which involve the same packet having two entirely different processing rules. Which rule has the final effect on the packet? Network Insight can tell you that and help you determine whether or not a packet is being misrouted because of opposing rules.
The last ACL feature of Network Insight for Cisco ASA that is a life saver for security and network admins is the ability to do version tracking on ACLs. If you’ve ever stared at a multi-entry monster of an ACL and wondered who keeps adding ACEs and why they are strung out like a mess you have probably asked yourself why the Cisco ASA doesn’t do a better job of tracking these kinds of problems.
SolarWinds ensured that Network Insight was able to track changes ACLs over time. Each change is logged as a separate entity in the database to ensure that all changes can be tracked historically over time. You’re able to track a flurry of changes around the same time that the Internet access for the site went offline. You can also see which entries are erased and reconfigured the most. And you can keep an eye on troublesome applications and ensure that no changes over time have caused them to stop working correctly.
Bringing It All Together
Security is a hard job. When you break things in a firewall, the Internet stops working. When you misconfigure things you may not notice until you’ve been breached. The problem comes when those things are at war with each other in a simple list of permissions and denials. Thanks to the smart folks at SolarWinds there is now a tool that can give you more information about all those maddening entries on those lists. It’s a load off your mind and a chance for you to focus on the real problems in securing your network.
