NAME

Farly::Rule::Optimizer - Optimize an expanded firewall rule set

SYNOPSIS

  use Farly;
  use Farly::Rule::Expander;
  use Farly::Rule::Optimizer;

  my $file = "test.cfg";
  my $importer = Farly->new();
  my $container = $importer->process('ASA',$file);

  my $rule_expander = Farly::Rule::Expander->new( $container );
  my $expanded_rules = $rule_expander->expand_all();  

  my $search = Farly::Object->new();
  $search->set( 'ID', Farly::Value::String->new('outside-in') );
  my $search_result = Farly::Object::List->new();
  $expanded_rules->matches( $search, $search_result );

  my $optimizer = Farly::Rule::Optimizer->new( $search_result );
  $optimizer->verbose(1);
  $optimizer->run();
  my $optimized_ruleset = $optimizer->optimized();

  my $template = Farly::Template::Cisco->new('ASA');
  foreach my $rule ( $optimized_ruleset->iter ) {
    $template->as_string( $rule );
    print "\n";
  }

DESCRIPTION

Farly::Rule::Optimizer finds duplicate and contained firewall rules in an expanded rule set.

Farly::Rule::Optimizer stores the list of optimized rules, as well as the list of rule entries which can be removed from the rule set without effecting the traffic filtering properties of the firewall.

The 'optimized' and 'removed' rule sets are expanded rule entries and may not correspond to the actual configuration on the device.

To view Farly::Rule::Optimizer actions and results with Log4perl, set the logging adapter to Log::Any::Adapter::Log4perl and add the following to your Log4perl configuration:

 log4perl.logger.Farly.Optimizer=INFO,Screen
 log4perl.appender.Screen=Log::Log4perl::Appender::Screen 
 log4perl.appender.Screen.mode=append
 log4perl.appender.Screen.layout=Log::Log4perl::Layout::PatternLayout
 log4perl.appender.Screen.layout.ConversionPattern=%d %p> %F{1}:%L %M - %m%n

See Log::Any::Adpater and Log::Any::Adapter::Log4perl for details. Logged rules are currently displayed in Cisco ASA format.

METHODS

new()

The constructor. A single expanded rule list is required.

  $optimizer = Farly::Rule::Optimizer->new( $expanded_rules<Farly::Object::List> );

verbose()

Have the optimizer display analysis results in Cisco ASA format

        $optimizer->verbose(1);

run()

Run the optimizer.

        $optimizer->run();

set_p_action()

Change the default permit string. The default permit string is "permit."

        $optimizer->set_p_action("accept");

set_d_action()

Change the default deny string. The default deny string is "deny."

        $optimizer->set_d_action("drop");

set_icmp()

Set the optimizer to optimize ICMP rules

        $optimizer->set_icmp();

set_l3()

Set the optimizer to optimize layer three rules, which does not include TCP, UDP or ICMP rules.

        $optimizer->set_l3();

optimized()

Returns a Farly::Object::List<Farly::Object> container of all expanded firewall rules, excluding duplicate and overlapping rule objects, in the current Farly firewall model.

  $optimized_ruleset = $optimizer->optimized();

removed()

Returns a Farly::Object::List<Farly::Object> container of all duplicate and overlapping firewall rule objects which could be removed.

  $remove_rules = $optimizer->removed();

ACKNOWLEDGEMENTS

Farly::Rule::Optimizer is based on the "optimise" algorithm in the following paper:

Qian, J., Hinrichs, S., Nahrstedt K. ACLA: A Framework for Access Control List (ACL) Analysis and Optimization, Communications and Multimedia Security, 2001

COPYRIGHT AND LICENCE

Farly::Rule::Optimizer Copyright (C) 2012 Trystan Johnson

This program is free software: you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation, either version 3 of the License, or (at your option) any later version.

This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.

You should have received a copy of the GNU General Public License along with this program. If not, see <http://www.gnu.org/licenses/>.