The AlgoSec Firewall Analyzer (AFA) is a Linux-based offering that collects configuration information from corporate firewalls (the vendor states that Cisco, Check Point and Juniper/NetScreen are supported) and provides specific types of analysis for the collected data. Analysis results are provided via HTML-based reports accessible via a Web browser. The vendor states that the information is collected from the firewalls in a non-intrusive fashion (leveraging SSH and/or OPSEC communications) and that the analysis of the data is then performed offline, without requiring direct packet exchanges against the firewalls themselves. The analysis itself can be performed on a scheduled basis, with results E-mailed to appropriate personnel.

Three primary software modules are offered in the AlgoSec Firewall Analyzer suite: The Core Module, the Optimization Module, and the Risk Module.

The Core Module is focused primarily on change management issues, including the reporting of all changes made to firewall configurations, historical logging of changes, automated comparisons of firewalls (even if the firewalls are from different vendors), etc. This module is included in all AFA packages.

The Optimization Module enables administrators to optimize their firewall gear by detecting and reporting particular types of firewall inefficiencies. Included in these checks are the detection of unused rules or objects (based on actual traffic or logs); rules that will never logically be used (because they are already enforced by other rules); disabled rules; and expired rules. The module also provides rule re-ordering recommendations.

Finally, the Risk Module concerns itself with the analysis of firewall policies as compared to regulatory compliance standards and best practice data. Out-of-the-box, automatically created PCI-DSS and SOX compliance reports are included as a part of this module.

Also available in the package are VPN analysis features, which are included as a part of the Policy Optimization and Risk Management modules. VPN analysis features include support for the viewing of VPN rules, users, groups, and communities (with such metrics as authentication method, group assignments, expiration dates, and encryption characteristics); listings of expired users; and listings of unattached groups or users (those groups or users that are not associated with any rules).

New in the latest AFA release is support for "Matrix Analysis," which is able to evaluate several firewalls together based on their relative hierarchy in the network. Also new is support for parallel analysis, support for the detection of unused objects in rules, and support for the detection of rules covered by earlier or later rules.

AFA is offered in four bundles: The base Operations Management Edition; the Optimization Edition, which adds to the Operations Management Edition the Optimization Module; the Risk Management Edition, which adds to the Operations Management Edition the Risk Module; and the Enterprise Edition which combines all three modules. The vendor states that the product can be purchased in multiple formats; including as software, as a virtual appliance, as a service, or in hardware flavors. Entry-level pricing starts at $1,500.

Contact the vendor for further information.