Juniper NetScreen Firewalls

Nipper requires a copy of the Juniper NetScreen firewall configuration file in order to produce a report. This page provides information on how to retreive the configuration from a NetScreen device and how to use Nipper to produce a report.

This page contains the following:

• Getting The Device Configuration
  • HTTPS
  • TFTP
  • CLI Capture
• Using Nipper
  • Report Formats
  • Password Auditing
  • Policy Auditing
  • Configuration File
• Example Configurations

Getting The Device Configuration

This section outlines different methods of obtaining a copy of your Juniper NetScreen devices configuration.

I would strongly advise that HTTP, Telnet and TFTP are not used to transfer the configuration file from your device as no encryption is used during the transfer. This means that an attacker who is able to monitor your network connection could capture not only the configuration file but, in the case of HTTP and Telnet, the authentication credentials used to access the device. Additionally, TFTP servers provide no authentication and typically provide weak security settings. If you leave a TFTP server active with files offered by it, don't be suprised if one day an unauthorised person has obtained copies of them.

HTTP(S)

The procedure for getting the configuration from the device using HTTP(S) is as follows:

1. Using your favorite web browser, connect to the HTTP(S) service provided by your Juniper NetScreen device for remote management.
2. Login.
3. Select from the menu, "Configuration", then "Update" and finally, "Config File".
4. Click the "Save To File" button to save the configuration to a local file (see screenshot below).

TFTP

The TFTP configuration file transfer procedure is provided below.

1. Connect to the netscreen device using SSH, via the Console or using Telnet.
2. Login to your Juniper NetScreen device
3. Transfer the configuration using the following TFTP command:
    

   save config to tftp ipaddress filename from interface interface

   You will need to specify the IP address, filename and the interface to be sent from.

CLI Capture

You can connect to the Command Line Interface (CLI) of your Juniper NetScreen device using a SSH client, Telnet or through the console port. Use the following procedure to obtain a copy of the configuration file:

1. Connect to the Juniper NetScreen using SSH, Telnet or a console connection.
2. Login.
3. Execute the CLI command get config and capture the output
4. Save the captured output to a file and remove any visible page lines (i.e. --More--).

Using Nipper

Nipper has a number of different options to change how a Juniper NetScreen firewall configuration is processed, some of these options are described latter in this section. A Juniper NetScreen configuration can be processed with the following command:

nipper --screenos --input=netscreen.config --output=report.html

Report Formats

Nipper currently supports HTML, XML, Latex and ASCII text report formats. The default format is HTML. The following command line options can be used to tell Nipper to output to a specific format:

• --html - HTML report format.
• --xml - XML report format.
• --latex - Latex report format.
• --text - ASCII text report format.

Password Auditing

As part of a security audit of your device configuration, Nipper will audit the passwords, authentication keys and community strings. The audit is based on a password policy which can be defined, otherwise Nipper will use its own builtin password policy. Additionally, the passwords are compared to a small internal dictionary of common passwords (an external dictionary can also be used.

The following command options can be used to modify the password audit settings:

• --pass-length={length} - The minimum password length.
• --pass-uppers={yes | no} - A password MUST contain uppercase characters.
• --pass-lowers={yes | no} - A password MUST contain lowercase characters.
• --pass-either={yes | no} - A password MUST contain lowercase or uppercase characters (including combinations).
• --pass-numbers={yes | no} - A password MUST contain numbers.
• --pass-specials={yes | no} - A password MUST contain special characters (i.e. non-alphanumeric).

The output of passwords to the report can be disabled and any encrypted passwords can be output to an external file for further analysis by other tools. The following are other password options:

• --no-passwords - Do not output passwords to the report, auditing will still take place.
• --john={filename} - Create an external file with the encrypted passwords (john-the-ripper format).
• --dictionary={dictionary file} - A dictionary file to test the passwords against.

Policy Auditing

As part of a security audit of your device configuration, Nipper will audit the network filtering policy and rules. The audit is based on a network filtering policy which can be defined, otherwise Nipper will use its own builtin defaults.

The following command options can be used to enable checking for particular issues:

• --any-source - Policy rules MUST NOT permit access from any source.
• --network-source - Policy rules MUST NOT permit access from a network source.
• --any-destination - Policy rules MUST NOT permit access to any destination.
• --network-destination - Policy rules MUST NOT permit access to a network destination.
• --destination-service - Policy rules MUST NOT permit access to any destination service.
• --disabled-rules - NO disabled rules.
• --reject-rules - NO reject rules (rules must deny).
• --log-rules - All rules must log.
• --deny-log - A deny or reject rule MUST log.
• --log-deny-rules - A policy MUST end with a deny all and log.

Each setting can be reversed using a --no-{policy} instead of --{policy}.

The Policy can be output to a seperate CSV file for further analysis, you simply have to supply Nipper with the name of the CSV file you would like it to write to. This can be done using --csv=rulesfile.csv, where rulesfile.csv is the name of the CSV file.

Configuration File

All the settings described in this section and more can be configured using an external configuration file. On Linux and UNIX type systems this file is called nipper.conf and is typically stored in /etc. On Windows systems the file is called nipper.ini and will be automatically loaded from the current directory. These files are essentially the same and if not found Nipper will use internal default settings.

A specific external configuration file can be specified on the command line using --config={Config Filename}.

The file is self documenting and generally relates to the various command line options. The default configuration file can be downloaded from here.

Example Configurations

Listed below are example Juniper NetScreen configurations and the reports that Nipper will generate from them.

• netscreen.config - Nipper 0.11.5 report.