PathFinder in the News
Athena Security’s new PathFinder network path analysis product offers such visibility into security infrastructure. Network engineers can upload configuration data of firewalls, switches and routers into the tool, which generates an offline, virtual model of a network. They can then simulate packet transmission through this network model, and PathFinder predicts how device configurations and firewall rules will affect packet flows.
There’s an interesting case study of using PathFinder to troubleshoot service availability after changes to the DMZ structure in a network.
“Since we got [PathFinder] we’ve been using it to troubleshoot… how the path runs through our ASA [Cisco Adaptive Security Appliance],” he said. “For PCI we’ve recently split our DMZ into four different DMZs. When we first set it up, we didn’t have the routing exactly right through it, and our VMware guy was having some issues with some of the servers that we had in the DMZ.”
With PathFinder’s offline network path analysis features, Serauskas used his device configurations to create a model of his network and sent simulated packets through the DMZ. He saw that the ASA was intercepting certain packets as they passed through it. He examined the rules on the ASA and discovered that some entries were sending the packets through an older path that had gone unused before segmentation.
“We just had to change the path on the DMZ — make the proper changes on the firewall for it — and once we made the changes to the config, we ran a new test [in PathFinder],” he said. “Once we knew the IP that [the VMware admin] was trying to get through had traveled correctly, we made the change [in production].
Read the whole article.