Developing an Automatic Validator for Cisco ASA IOS Configurations at ScanPlus


ScanPlus is a cloud service provider located in Ulm that is working on improving and automating its service offerings. One of the challenges ScanPlus is currently working on is automating the quality assurance of the configurations of their CISCO ASA firewalls. These configurations are mostly created and checked manually. This process should be sped up and made more reliable by automating it.


The goal of this master's thesis is the analysis of CISCO ASA firewall configurations. A prerequisite to this analysis is the implementation of a parser for a subset of the configuration language. The next step is to check parsed data for style issues, correctness, and conformity with requirements documents. Configurations can be complex, contain nested elements, and it may be necessary to interpret the configurations to determine their effect. Finally it should be possible to modify the configurations in a safe way and to write them back to the router in a transactionally safe way. The techniques and tools for the above goals should be implemented as a Java or Python library. Good documentation and a clean coding style are important, because ScanPlus is planning on using and extending this library. The developed library has to be evaluated with respect to correctness and usefulness. For this, ScanPlus will provide hardware and anonymised configurations for testing. Interviews with colleagues will be used to evaluate the usefulness. The anonymised configurations should also be examined for further style and correctness issues that can be automatically checked. This thesis will be conducted while being a Werkstudent at ScanPlus. Allowing the student to learn first hand about the challenges of working at a cloud service provider.


  • Good knowledge of Java or Python
  • Basic knowledge of, or interest in, parsing techniques
  • Motivation to learn about new technologies (routers, firewalls, parsers, ...)
  • Willingness to work as a Werkstudent at ScanPlus during the thesis

Further Reading

Download as PDF


Stefan Kögel