Task 3. Create the input data for digraph:
IPSO Firewall ‘clish -c “show route static”‘ output (filename: fw_static_routes_firewall1.txt):
S 30.30.30.0/24 via 10.10.10.10, ae1c0, cost 0, age 6132971 S 40.40.40.0/24 via 10.10.10.10, ae1c0, cost 0, age 6132972 S 50.50.50.0/24 via 10.10.10.10, ae1c0, cost 0, age 6132973 S 60.60.60.0/24 via 20.20.20.10, ae2c1, cost 0, age 6132974 S 70.70.70.0/24 via 10.10.10.11, ae2c1, cost 0, age 6132974 |
DNS entries for the router interfaces:
# nslookup 10.10.10.10 Server: 10.10.10.113 Address: 10.10.10.113#53 10.10.10.10.in-addr.arpa name = router1.internal.mycompany.com # nslookup 20.20.20.10 Server: 10.10.10.113 Address: 10.10.10.113#53 10.20.20.20.in-addr.arpa name = router2.dmz1.mycompany.com # nslookup 10.10.10.11 Server: 10.10.10.113 Address: 10.10.10.113#53 11.10.10.10.in-addr.arpa name = serverfarmfw1.dmz3.mycompany.com |
Step 1. nodes for directly connected nets
*****************************************
Syntax: Nets1 [shape=none, label=”10.1.1.0/24\ndomainname1″, image=”cloud.gif”]
Comment:
Feature:
add default domain to any network if the network is directly connected to a firewall and if the firewall in this network has a dns name.)
# awk '{netaddr=$2; gsub(/\.|\//,"",$2); print "Netz"$2" [shape=none, label=\""netaddr"\\n"$5"\", image=\"cloud.gif\"]"}' fw_ifname_ip_def_dom_net_firewall1.txt
|
Output:
Netz12700132 [shape=none, label="127.0.0.1/32\n", image="cloud.gif"] Netz101010029 [shape=none, label="10.10.10.0/29\ninternal", image="cloud.gif"] Netz202020028 [shape=none, label="20.20.20.0/28\ndmz1", image="cloud.gif"] Netz808080028 [shape=none, label="80.80.80.0/28\ndmz2", image="cloud.gif"] |
Step 2. nodes for static route nets
*****************************************
Syntax: Nets1 [shape=none, label=”10.1.1.0/24\ndomainname2″, image=”cloud_routed_net.gif”]
Comment:
——–
If there is a net in a static route that is a direct net on another firewall, we can get its name.
Example:
FirewallANetzA(suffix:dmz3)routerAFirewallB
Command1:
# awk '{gsub(/,/,"",$0);print $2, $5, $4}' fw_static_routes_firewall1.txt > fw_static_routes_formatted_firewall1.txt
# awk 'FNR==NR{a[$1]=$2 FS $3;next}{ print $0, a[$1]}' fw_ifname_ip_def_dom_net_formatted_all.txt fw_static_routes_formatted_firewall1.txt > fw_static_routes_formatted_defdoms_firewall1.txt
|
Command2:
# awk '{netaddr=$1; gsub(/\.|\//,"",$1); print "Netz"$1" [shape=none, label=\""netaddr"\\n"$4"\", image=\"cloud_routed_net.gif\"]"}' fw_static_routes_formatted_defdoms_firewall1.txtOutput:
|
Output:
Netz303030024 [shape=none, label="30.30.30.0/24\n", image="cloud_routed_net.gif"] Netz404040024 [shape=none, label="40.40.40.0/24\n", image="cloud_routed_net.gif"] Netz505050024 [shape=none, label="50.50.50.0/24\ndmz3", image="cloud_routed_net.gif"] Netz606060024 [shape=none, label="60.60.60.0/24\n", image="cloud_routed_net.gif"] Netz707070024 [shape=none, label="70.70.70.0/24\n", image="cloud_routed_net.gif"] |
Step 3. nodes for all next hops
*****************************************
Syntax: Router1 [shape=none, label=””, image=”router.gif”]
Feature:
dynamic image selection(firewall, router, loadbalancer). -> Requires hostname that can be resolved and that refer to the funktion of the layer 3 device.
following regex identify the layer 3 device in dns:
fw = firewall (firewall.gif)
lb = loadbalancer (loadbalancer.gif)
any other case = router (router.gif)
# awk '{gsub(/\,/,"",$4); print $4}' fw_static_routes_firewall1.txt | sort | uniq | awk '{routerip=$1;gsub(/\.|\//,"",$1);"./iplookup.sh " routerip | getline myhostname; if (myhostname ~ "fw") myimage="firewall.gif\"]"; else if (myhostname ~ "lb") myimage="loadbalancer.gif\"]"; else myimage="router.gif\"]"; print "Router"$1" [shape=none, label=\""myhostname"\", labelloc=\"b\", image=\""myimage}'
|
Output:
Router10101010 [shape=none, label="router1.internal.mycompany.com", labelloc="b", image="router.gif"] Router10101011 [shape=none, label="serverfarmfw1.dmz3.mycompany.com", labelloc="b", image="firewall.gif"] Router20202010 [shape=none, label="router2.dmz1.mycompany.com", labelloc="b", image="router.gif"] |
Step 4. record based node for firewall interface table where there is no route
*****************************************
Syntax: FirewallIFsNR [shape=Mrecord, label=”IF1\n10.1.1.1|IF2\n10.1.2.1″]
Commmand:
———
# awk '{print $5};' fw_static_routes_firewall1.txt | sort | uniq | sed 's/\,//g' > ifs_with_route_firewall1.txt
# grep "Logical Interface\|IP Address" -A 1 fw_interfaces_firewall1.txt | grep "Logical Interface\|IP Address" -A 1 | awk '{if ($1 == "Logical") {ifname=$3; gsub(/\-/,"",$3); ifnamem=$3};if ($1 == "IP") NR=NR+1; if ($1 !~ /[a-zA-Z\-]/) {ipaddr=$1; print ""ifname"\\n"ipaddr"\|"}};' | grep -v -f ifs_with_route_firewall1.txt | awk -v var3="firewall1" 'END {print var3"IFsNR [shape=Mrecord, label=\""line"\"]"} {line = line " " $0};'
|
Output:
firewall1IFsNR [shape=Mrecord, label=" ae3c1\n80.80.80.1| loop0c0\n127.0.0.1|"] |
Step 5. record based node for firewall interface table where there is a route
*****************************************
Syntax: FirewallIFsR [shape=Mrecord, label=”IF3\n10.1.3.1|IF4\n10.1.4.1″]
Command:
# grep "Logical Interface\|IP Address" -A 1 fw_interfaces_firewall1.txt | awk '{if ($1 == "Logical") {ifname=$3; gsub(/\-/,"",$3); ifnamem=$3};if ($1 == "IP") NR=NR+1; if ($1 !~ /[a-zA-Z\-]/) {ipaddr=$1; print ""ifname"\\n"ipaddr"\|"}};' | grep -f ifs_with_route_firewall1.txt | awk -v var3="firewall1" 'END {print var3"IFsR [shape=Mrecord, label=\""line"\"]"} {line = line " " $0};'
|
Output:
firewall1IFsR [shape=Mrecord, label=" ae1c0\n10.10.10.1| ae2c1\n20.20.20.1|"] |
Step 6. edge for firewalls interface with direct networks only
*****************************************
Syntax: Netz1 -> FirewallIFsNR:IF1
Command:
# grep -v -f ifs_with_route_firewall1.txt fw_direct_routes_firewall1.txt | awk -v var3="firewall1" '{gsub(/\.|\//,"",$2);gsub(/\-/,"",$6);print "Netz"$2" -> "var3"IFsNR:"$6}'
|
Output:
Netz12700132 -> firewall1IFsNR:loop0c0 Netz808080028 -> firewall1IFsNR:ae3c1 |
Step 7. edge for firewall interface table to firewall
*****************************************
Syntax:
FirewallIFsNR -> Firewall [dir=none, penwidth=50, color=”#8b0000″]
Firewall -> FirewallIFsR [dir=none, penwidth=50, color=”#8b0000″]
Command:
echo "firewall1IFsNR -> firewall1 [dir=none, penwidth=50, color=\"#8b0000\"]" echo "firewall1 -> firewall1IFsR [dir=none, penwidth=50, color=\"#8b0000\"]" |
Output:
firewall1IFsNR -> firewall1 [dir=none, penwidth=50, color="#8b0000"] firewall1 -> firewall1IFsR [dir=none, penwidth=50, color="#8b0000"] |
Step 8. edge for not direct networks to firewall interface table and to router and to nets
*****************************************
Syntax:
FirewallIFsR:IF3 -> Netz3
Netz3 -> Router1 [headlabel=”10.1.3.2″]
Router1 -> Netz5
Commands:
grep -f ifs_with_route_firewall1.txt fw_direct_routes_firewall1.txt | awk -v var3="firewall1" '{gsub(/\.|\//,"",$2);gsub(/\-/,"",$6);print var3"IFsR:"$6" -> Netz"$2}'
grep -f ifs_with_route_firewall1.txt fw_direct_routes_firewall1.txt | awk '{print $6,$2}' > networks_for_routerips_firewall1.txt
grep -f ifs_with_route_firewall1.txt fw_static_routes_firewall1.txt | awk '{print $5,$4}' | sort | uniq | sed 's/\,//g' > routerips_firewall1.txt
awk 'FNR==NR{a[$1]=$2 FS $3; next}{routerip=$2; gsub(/\.|\//,"",a[$1]); gsub(/\.|\//,"",$2); print "Netz"a[$1]" -> Router"$2"[headlabel=\""routerip"\"]"}' networks_for_routerips_firewall1.txt routerips_firewall1.txt
awk '{gsub(/\.|\//,"",$2); gsub(/\.|\/|\,/,"",$4); print "Router"$4" -> Netz"$2}' fw_static_routes_firewall1.txt
|
Output:
firewall1IFsR:ae1c0 -> Netz101010029 firewall1IFsR:ae2c1 -> Netz202020028 Netz101010029 -> Router10101010[headlabel="10.10.10.10"] Netz202020028 -> Router10101011[headlabel="10.10.10.11"] Netz202020028 -> Router20202010[headlabel="20.20.20.10"] Router10101010 -> Netz303030024 Router10101010 -> Netz404040024 Router10101010 -> Netz505050024 Router20202010 -> Netz606060024 Router10101011 -> Netz707070024 |
itsecworks 
March 20th, 2012 → 5:32 pm
[…] to. Task 2. List the interface name, the network address and the IP Address and the the DNS suffix. Task 3. Create the input data for […]