Nortel Passport

Nipper requires a copy of the Nortel Passport configuration file in order to produce a report. This page provides information on how to retreive the configuration from a device and how to use Nipper to produce a report.

This page contains the following:

• Getting The Configuration File
  • CLI Capture
• Using Nipper
  • Report Formats
  • Filter Set Auditing
  • Configuration File

Getting The Configuration File

This section outlines different methods of obtaining a copy of your Nortel Passport configuration.

I would strongly advise that HTTP, Telnet and TFTP are not used to transfer the configuration file from your device as no encryption is used during the transfer. This means that an attacker who is able to monitor your network connection could capture not only the configuration file but, in the case of HTTP and Telnet, the authentication credentials used to access the device. Additionally, TFTP servers provide no authentication and typically provide weak security settings. If you leave a TFTP server active with files offered by it, don't be suprised if one day an unauthorised person has obtained copies of them.

CLI Capture

You can connect to the Command Line Interface (CLI) of your Nortel Passport using a variety of clients such as Telnet or through the console port. Use the following procedure to obtain a copy of the configuration file:

1. Connect to the Nortel Passport device.
2. Login.
3. Type the following command:

   show config

4. Save the captured output to a file and remove any visible page lines (i.e. "<--- More --->").

Using Nipper

Nipper has a number of different options to change how a Nortel Passport configuration is processed, some of these options are described latter in this section. The configuration can be processed with the following command:

nipper --passport --input=accelar.config --output=report.html

Report Formats

Nipper currently supports HTML, XML, Latex and ASCII text report formats. The default format is HTML. The following command line options can be used to tell Nipper to output to a specific format:

• --html - HTML report format.
• --xml - XML report format.
• --latex - Latex report format.
• --text - ASCII text report format.

Filter Set Auditing

As part of a security audit of your device configuration, Nipper will audit the filter sets. The audit is based on a network filtering policy which can be defined, otherwise Nipper will use its own builtin defaults.

The following command options can be used to enable checking for particular issues:

• --any-source - A filter MUST NOT forward from any source.
• --network-source - A filter MUST NOT forward from a network source.
• --source-service - A filter MUST NOT forward from any source port.
• --any-destination - A filter MUST NOT forward to any destination.
• --network-destination - A filter MUST NOT forward to a network destination.
• --destination-service - A filter MUST NOT forward to any destination port.
• --default-rules - NO filters should use the default action.

Each setting can be reversed using a --no-{policy} instead of --{policy}.

The Filter Set can be output to a seperate CSV file for further analysis, you simply have to supply Nipper with the name of the CSV file you would like it to write to. This can be done using --csv=rulesfile.csv, where rulesfile.csv is the name of the CSV file.

Configuration File

All the settings described in this section and more can be configured using an external configuration file. On Linux and UNIX type systems this file is called nipper.conf and is typically stored in /etc. On Windows systems the file is called nipper.ini and will be automatically loaded from the current directory. These files are essentially the same and if not found Nipper will use internal default settings.

A specific external configuration file can be specified on the command line using --config={Config Filename}.

The file is self documenting and generally relates to the various command line options. The default configuration file can be downloaded from here.