Nipper – Network device Security Audit tool

Nipper is an Opensource tool for network device congiguration and security audit. Nipper performs security audits of network device configuration files. The report produced by Nipper includes; detailed security-related issues with recommendations, a configuration report and various appendices. Nipper can run on both Windows and Linux operating system. Nipper can be downloaded from here Nipper currently supports the following Network devices:

Cisco IOS-based Switches

Cisco IOS-based Routers

Cisco IOS-based Catalysts

Cisco NMP-based Catalysts

Cisco CatOS-based Catalysts

Cisco PIX-based Firewalls

Cisco ASA-based Firewalls

Cisco FWSM-based Firewalls

Cisco CSS-based Content Service Switches

Juniper NetScreen ScreenOS-based Firewalls

Simply capture the configuration of the Network device onto a text file and run it through Nipper to Audit the config file and output its Audit results in HTML,XML,latex or plain text format. There are a lot of options that can be specified at the command line, a simplest command that show what Nipper is upto will be.

The following is an example of running Nipper on Windows from the download directory on a Cisco IOS Switch config file

c:\Nipper>nipper –ios-switch –input=test.cfg.tct –output=output.html

where,

–ios-switch is the device type

–input specifies the device config text file

–output specifies the output file.

This creates the output file in the current directory (or where mentioned to). What impresses is the orderly formatting of the results with a great deal of information, good enough to understand the imapct of any identified issue. Nipper performs a security audit of a device and produces a report which can include the following sections:

Security Related Issues Introduction

The issues Configuration Report Introduction

The configuration Appendix Section

Abbreviations

Timezones

Common Ports

Logging Severity Levels

Version Details

During a security audit Nipper can test passwords and connection timeouts, these can be configured from the command line.

The configurable options are:

Timeout

Minimum Password Length

Passwords must contain upper case characters

Passwords must contain lower case characters

Passwords must contain numbers

Passwords must contain special characters

Passwords can contain upper or lower case characters

Dictionary for testing against passwords 

Nipper will decode Cisco type 7 passwords, other passwords can be output to a john-the-ripper file for further testing. Nipper includes support for a variety of different device types and gathers a lot of information whilst performing a security audit. However, nipper does not gather all information from a device configuration.

The following describes what information is used and what security issues nipper identifies.

IOS-Based Configuration Settings

• Hostname
• IOS Version
• Timezone and offsets
• Authorative Time Source
• Service Password Encryption
• Minimum Password Length
• IP Source Routing
• Bootp
• Service Config
• TCP Keep Alives
• Cisco Express Forwarding
• Gratuitous ARP
• Classless Routing
• Domain Name
• Domain Lookup
• DNS Servers
• Enable Passwords
• Users
• Privilages
• Banner
• Telnet
• SSH
• HTTP
• Finger
• TCP / UDP Small Services
• NTP
• SNMP 1, 2 and 3
• CDP
• PAD
• Logging
• Syslog
• Buffered Logging
• Terminal Logging
• FTP
• TACACS
• AAA
• BGP
• VRRP
• EIGRP
• RIP
• OSPF
• Routes
• Route Maps
• Keys and Key Chains
• Lines
• Interfaces
• VTP
• Switch Ports
• NAT (All types)
• ACL (All types)

IOS-Based Security Issues

• Software Versions
• Dictionary-Based / Default Passwords
• Weak Passwords
• Auto-Configuration
• IP Directed Broadcasts
• BGP Route Dampening
• OSPF Authentication
• EIGRP Authentication
• RIP Authentication
• VRRP Authentication
• TCP Keep Alives
• Connection Timeouts
• AUX Port
• Source Routing
• Finger
• HTTP
• SNMP Version 1 / 2
• Telnet
• Redirects
• Access Lists
• uRPF Verification
• Switch Port Mode
• Switch Port Security
• Logging
• Proxy ARP
• SSH Protocol Version
• CDP
• Classless Routing
• Minimum Password Length
• Bootp
• TCP / UDP Small Servers
• IP Unreachables
• IP Mask Reply
• Enable Secret
• Password Encryption
• Banners
• Domain Lookup
• PAD
• MOP

PIX/ASA/FWSM-Based Configuration Settings

• Hostname
• Domain Name
• Version
• Transparent Firewall
• Enable Password
• Users
• SSH
• Interfaces
• NAT / PAT
• Routing
• Access Control Lists
• ICMP Access
• Protocol Analysis
• Group Objects
• Name Mappings

PIX/ASA/FWSM-Based Security Issues

• Connection Timeouts
• Access Control Lists
• SSH Protocol Version

CSS-Based Configuration Settings

• Hostname (a little hack, recommend specifying)
• CSS Version
• FTP Server
• SNMP
• SSH Server
• Telnet Server
• Web Management Server
• Access Control Lists

CSS-Based Security Issues

• SNMP
• Telnet
• Access Control Lists

CatOS/NMP-Based Configuration Settings

• Hostname
• NMP Version
• Location
• Contact
• Core Files
• Syslog Files
• Idle Session Timeout
• Port Security Auto Configure
• Enable Passwords
• Login Passwords
• ICMP Redirects
• IP Unreachables
• IP Fragmentation
• CDP
• SNMP
• Permit Lists
• VLAN Configuration

CatOS/NMP-Based Security Issues

• Dictionary-Based / Default Passwords
• Weak Passwords
• Connection Timeouts
• IP Redirects
• CDP
• IP Unreachables

ScreenOS-Based Configuration Settings

• Hostname
• Administrative Settings
• Users
• Alerting
• Timeouts
• Authentication Server
• Admin Privilages
• SSH
• Interfaces
• Policies
• Name Lists

ScreenOS-Based Security Issues

• Policies
• Connection Timeout
• Administrative HTTP Redirect
• Management IP Address

For more information and options, please visit here