Improve the map (CLI)

AlgoSec provides a CLI tool to help complete the map.

In this topic:

Topology Advisor CLI tool scope

The CLI tool provides:

• A prioritized list of generic routers in the map that should be defined as routers in AFA. The routers which would complete the most paths are given the highest priority.

  In order to identify which router corresponds to which IP address, the tool automatically performs a DNS lookup. To further assist the tool in identifying the device names, you can optionally provide the network's SNMP credentials.

• A list of mis-matched routes in the map (the route was complete in one direction, but not the other).

Back to top

Identify routers to define in AFA

Do the following:

1. Set the map to prefer paths where the source is a subnet (and not a cloud) and disable this preference for destinations. For details, see the PrioritizeFIPDestination parameter.

   Note: Make sure to revert these parameters to the settings required for your environment after you finish running the CLI tool.

2. Prepare the following input files:

   • A .txt file with all the internal subnets within the network. The subnets should all be connected without going through the internet.

     Each subnet in the file must be in CIDR format and on a new line ("line break" is the delimiter).

     Example:

     10.0.0.0/8192.168.0.0/16

   • A .txt file with all the external IP addresses that should be reachable from each internal subnet.

     Each IP address must be on a new line ("line break" is the delimiter).

     Example:

     8.8.8.882.102.187.174

   • (Optional) A .txt file with the network's SNMP credentials. Providing this information helps the CLI tool determine the names of the routers in the prioritized list (not just the IP addresses) when the DNS lookup does not provide the name.

     • For SNMP version 2, the file must include the following (with the community string value inserted):

       version: 2community:

     • For SNMP version 3, the file must include the following (with all the values inserted):

       version: 3username: authprotocol:authpassword:privprotocol:privpassword:

       Note: When SNMP is provided, the only information being fetched via SNMP is the name of the devices.

3. Open a terminal and log in using the username "afa" and the related password.

4. Run the following command with any desired optional parameters:

   map_completeness -i <internal_nets.txt> -e <external_IPs.txt>

   For details, see Topology Advisor CLI Tool parameters.

5. The tool simulates the routes between each internal subnet and between each internal subnet and external IP.

   For example:

   Running internal queries:Simulating 950 paths of 8556 possible paths.100% ProcessedRunning external queries:Simulating 372 paths of 372 possible paths.100% Processed----------------------------------------------

   Where:

   Summary	Description...
   Internal networks: 2	Number of internal subnets in the input file.
   External IPs: 2	Number of external IPs in the input file.
   Internal subnets in the map database: 93	Number of subnets in the current map that are included in the internal subnets in the input file.
   3 Unique missing router addresses	Number of routers in the current map that are not defined in AFA.
   294 Mismatches were found	Number of paths that are complete in one direction, but not the other.
   Map is 16.28% Complete	The score for the current map. This is the percentage of possible paths that are complete.

   Note: Routes with NAT will be identified as mis-matched even though they do not predict a hole in the map.

The two output files are created and given the names you specified in the command parameters or the default names missing_routers.txt and routing_mismatches.txt.

The missing routers output file provides a list of routers to add to AFA. The file includes the number of paths that are incomplete because of each missing router. The devices are listed in descending priority, where devices that would complete more paths are given higher priority. If the tool was not able to determine the name of a router using a DNS lookup or SNMP, only the IP address appears.

Back to top

Topology Advisor CLI Tool parameters

Parameters	Mandatory?	Description
-i <internal_nets.txt>	Yes	Passes the internal networks input file. The value is the relative path to the file.
-e <external_IPs.txt>	Yes	Passes the external IPs input file. The value is the relative path to the file.
-s <snmp_credentials.txt>	No	Passes the SNMP credentials input file. The value is the relative path to the file.
-r <missing_routers.txt>	No	Enables you to provide the name of the output file with the prioritized list of routers. By default, the file's name will be missing_routers.txt.
-m <routing_mismatches.txt>	No	Enables you to provide the name of the output file with the routing mismatches. By default, the file's name will be routing_mismatches.txt.
-n <max_queries>	No	Enables you to specify the maximum number of routes to simulate. The value is the maximum number of routes (where each route is simulated in both directions). The internal subnets are permitted this number of routes and the external IPs are permitted this number of routes (individually). The default value is 1000 routes. In other words, 1000 for internal subnets and 1000 for external IPs, where each route is simulated in both directions. Note: This CLI tool does not simulate every possible route, but a sampling. This parameter specifies the size of the sample.
-v	No	Enables verbose mode. The output files will contain additional information which may be useful for de-bugging. By default, verbose mode is disabled.
-p	No	Specifies the output files should be printed in human-readable format. The default is CSV format.
-h	No	Prints help. Help will also print if the command is run with invalid syntax.

Back to top