Methods and apparatus, including computer program products, implementing and using techniques for network modeling and device configuration. A security information and event manager is configured to receive log data from third party devices connected to a network. A notification is received each time a specific third party device generates a predetermined event in response to traffic at the specific third party device. The notification includes event information inferring network topology information, which network topology information includes third party device location information, firewall event information, source and destination networks. In response to receiving this information, a state of each third party device is generated, using inferred information over a predetermined period. An access control list is generated for each third party device, by using the inferred information over the predetermined period.