Network ">Security Policy Compiler (NetSPoC) 是一个用来管理大型计算机网络的安全策略的工具,可用来生成包过滤控制的配置文件以及安全域的边界配置。
New features:
·Support for Cisco ASA devices as packet filter, as VPN gateway and for LAN-to-LAN IPSec tunnels.
·Support "easy VPN" at Cisco VPN clients.
·Generated chains for Linux iptables are highly optimized now. Deeply nested chains are generated to minimize the number of tests for each checked packet.
·Support port address translation (PAT) to an interface for PIX and ASA.
Language:
·Changed syntax for defining crypto tunnels to support multiple VPN gateways.
·Renamed attribute "nat = .." at interface to "bind_nat = ..". This allows better distinction between binding and definition of NAT.
·Allow multiple NAT tags at attribute bind_nat of an interface. This simplifies definition of NAT for devices with multiple interfaces.
·Extended concept of secondary packet filter to "primary" packet filter. All rules which pass a primary filter are implemented as secondary filters on other devices
·Enhanced policy definitions to support template rule-sets which operate individually on each element of "users". This uses new keyword 'foreach' and nested expressions with 'user'. This concept replaces 'any:[local]' from previous versions.
·Added automatic group "network:[any:xx]", the group of all networks inside a security domain.
Removed "interface:xx.[back]". This was not widely used and can easily be expressed with complement: "interface:xx.[all] & ! interface:xx.[auto]".
·Renamed "interface:xx.[front]" back to the old syntax "interface:xx.[auto]" which was still valid syntax in previous versions.
·Added attribute "crosslink" for networks. A crosslink network combines two or more routers to a cluster of routers. Filtering occurs only at the outside interfaces of the cluster. The crosslink interfaces permit any traffic because traffic has already been filtered by some other device of the cluster.
·Added attribute "no_in_acl" for interfaces. With this attribute, no incoming ACL is generated for an interface. Outgoing ACLs are added to all other interfaces of the same device instead.
·Networks with isolated and promiscuous ports (RFC 5517) are supported now. Added attribute "isolated_ports" at networks and attribute "promiscuous_port" at interfaces. If a network has attribute "isolated_ports", hosts inside this network are not allowed to talk directly to each other. Instead the traffic must go through an interface which is marked as "promiscuous_port".
·Hosts no longer support multiple IP addresses, but only single IP addresses or ranges.
·Attribute "owner" no longer holds simple strings, but references to one or more 'admin', which has name and email address.