Audit your Cisco/Netscreen configs with Nipper
http://www.security-database.com/toolswatch/Nipper-version-93-released.html
This software works both in Windows and Linux.
nipper processes network device configuration files, performs a security audit and outputs a security report with recommendations and a configuration report. nipper currently supports Cisco IOS, PIX, ASA, FWSM, NMP, CatOS and Juniper NetScreen devices.
This tool has been tested by Security-Database.com against PIX, Cisco and NetScreen. Some improvements should be reviewed to correct bugs or wrong interpretations. But Nipper will be great for auditing filtering devices configurations.
This new 0.93 release comes with theses changes :
- Improved: XML appendix and configuration subsection tags.
- Improved: XML table tag reference.
- Improved: Added an XML section tag reference.
- Improved: Dictionary-based password checking using the small built in dictionary.
- Improved: A really minor PQR change to the report text.
- Improved: Minor tweaks to the on-line help text.
- Fixed : Typo in the report markup language.
- Fixed : PIX Access List Segmentation Fault.
- Fixed : Bug 1703687, which fixes the handling of quoted text, specifically with NetScreen devices.
I actually took the time to try this program out today before posting about it here. I only tested it on one of my Cisco PIX firewall configs and I was very impressed with the output. I highly recommend it.
Being the paranoid person I am, I loaded up an old XP VMware image, created a Snapshot, downloaded the tool (the Cygwin DLL is too big for a floppy), turned the Ethernet adapter off, and copied the firewall config over on a floppy. After running the report I deleted the Snapshot.
The report came out to around 15 pages and presented everything very nicely. It alerted me to problem ACE’s and presented the rest of the config in a nice layout.
This is the command parameters I used:
nipper –input=config.txt –output=output.html –output-format=html