Tip

Nipper audits routers, reveals insecure settings

A solid security audit includes a review of routers and firewalls, which is exactly what Nipper, an open source network infrastructure parser, excels at. Nipper examines router and firewall configuration files and generates an easy to understand report

    Requires Free Membership to View

that highlights key settings and shows how they can affect security.

Nipper supports a number of popular security devices, including Check Point Software Technologies Ltd.'s Firewall-1, Cisco Systems Inc. routers (IOS), Cisco Security Appliances, Juniper Networks Inc.'s NetScreen, SonicWall Inc. and others.

A Nipper security audit checks configuration settings, password strength, potential problems with protocols and more. The password audit reveals weak passwords or those vulnerable to a dictionary attack, and can export encrypted passwords in a format ready for brute-force attack with a john-the-ripper file. The OS check identifies known vulnerabilities, providing CVE reference and BugTraq IDs. An ACL audit detects rules that are wide open to the point of being insecure, and spots insecure settings -- such as the failure to authenticate OSPF and RIP updates. Checks are customizable, which allows audits to target specific compliance requirements.

Nipper runs on Windows, Mac OS X and Linux at the command line, though there is a rudimentary GUI for using it within Windows. Nipper audits against an exported copy of a router's configuration file, so a router is never touched or changed during the audit.

It also supports reporting to HTML, XML, Latex and ASCII. Reports note observed findings, potential effects and provide recommendations in understandable English. The recommendations are helpful for understanding possible weaknesses, but the tool can not determine if, say, having IP source routing turned on is necessary to an organizations operations for their environment.

In general, Nipper is a good tool for helping organizations keep routers and firewalls configured correctly.

About the author:
Scott Sidel is an ISSO with Lockheed Martin

This was first published in February 2009

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.