IP Subnet Tracking With .NET

If you've ever worked in an environment with multiple DMZ's and lots of servers, you may relate to the issue of working out which interface behind which firewall a server sits. Well, I had exactly this issue and set about understanding out how to normalise the IP data or hash it so that it can be compared. Therefore, once you have the IP and subnet information of your firewall interfaces hashed, you can easily compare them against the IP tables of your servers to track them through the network.

To do this, we need to run a "binary and" against the IP address and the Subnet address using the .net IP address object. The following function allows you to pass an IP and Subnet in as a string and will return a decimal hash code which you can use later for comparison.

 Function Get-Subnet($strIP,$strSubnet)
{
	Add-Type -AssemblyName System.Net
 
	$IP = [Net.IPAddress]::Parse($strIP)
	$Subnet = [Net.IPAddress]::Parse($strSubnet)
	$Network = $IP.address -band $Subnet.address
	Return $Network	 
}

Now all you need to do is store all of your firewall interface data in a database table somewhere and use that to lookup against hashed server IP and subnets.

Taking this a few steps further I have written a module which will parse Cisco PIX and ASA Firewall configs and Cisco ACE and CSS configs into a normalised format in a database. You can then easily write a lookup tool which sits on top of that. This is something I'm planning on posting in the coming days...