Cisco Security Appliances

Nipper requires a copy of the Cisco Adaptive Security Appliance (ASA), Private Internet Exchange (PIX) or Firewall Service Module (FWSM) configuration file in order to produce a report. This page provides information on how to retreive the configuration from a device and how to use Nipper to produce a report.

This page contains the following:

• Getting The Configuration File
  • HTTPS
  • TFTP
  • CLI Capture
• Using Nipper
  • Report Formats
  • Password Auditing
  • ACL Auditing
  • Configuration File
• Example Configurations

Getting The Configuration File

This section outlines different methods of obtaining a copy of your Cisco PIX security appliances configuration.

I would strongly advise that HTTP, Telnet and TFTP are not used to transfer the configuration file from your device as no encryption is used during the transfer. This means that an attacker who is able to monitor your network connection could capture not only the configuration file but, in the case of HTTP and Telnet, the authentication credentials used to access the device. Additionally, TFTP servers provide no authentication and typically provide weak security settings. If you leave a TFTP server active with files offered by it, don't be suprised if one day an unauthorised person has obtained copies of them.

HTTPS

The section outlines the procedure for getting the configuration from the device using Cisco PIX Device Manager (PDM). If you have not used PDM before, you will need a Java web browser plugin installed. The procedure is as follows:

1. Using your favorite web browser, connect to the HTTPS service provided by your Cisco PIX for remote management.
2. Login.
3. Click the "Launch PDM" button if is not automatically launched.
4. From the file menu, select "Show Running Configuration in New Window..." (see PDM screenshot).
5. Save the contents of the browser to a file.

TFTP

The TFTP configuration file transfer procedure is provided below.

1. Connect to the netscreen device using SSH, Telnet, PDM or through a Console connection.
2. Login to your Cisco PIX device.
3. Transfer the configuration using the following TFTP command:

   write net IP Address:Filename

   IP Address is the address of your TFTP server, Filename is the name of the TFTP file to save the configuration to. There is a PDM file menu option that enables the transfer of the configuration.

CLI Capture

You can connect to the Command Line Interface (CLI) of your Cisco PIX using a SSH client, Telnet or through the console port. Use the following procedure to obtain a copy of the configuration file:

1. Connect to the Cisco PIX using SSH, Telnet or a console connection.
2. Login.
3. Type the following command:

   enable

4. Enter the enable password.
5. Execute the following enable command and capture the output:

   show run

6. Save the captured output to a file and remove any visible page lines (i.e. "<--- More --->").

Using Nipper

Nipper has a number of different options to change how a Cisco security appliance configuration is processed, some of these options are described latter in this section. A Cisco ASA security applicance configuration can be processed with the following command:

nipper --asa --input=asa.config --output=report.html

A Cisco PIX security applicance configuration can be processed with the following command:

nipper --pix --input=pix.config --output=report.html

A Cisco FWSM security applicance configuration can be processed with the following command:

nipper --fwsm --input=fwsm.config --output=report.html

Report Formats

Nipper currently supports HTML, XML, Latex and ASCII text report formats. The default format is HTML. The following command line options can be used to tell Nipper to output to a specific format:

• --html - HTML report format.
• --xml - XML report format.
• --latex - Latex report format.
• --text - ASCII text report format.

Password Auditing

As part of a security audit of your device configuration, Nipper will audit the passwords, authentication keys and community strings. The audit is based on a password policy which can be defined, otherwise Nipper will use its own builtin password policy. Additionally, the passwords are compared to a small internal dictionary of common passwords (an external dictionary can also be used.

The following command options can be used to modify the password audit settings:

• --pass-length={length} - The minimum password length.
• --pass-uppers={yes | no} - A password MUST contain uppercase characters.
• --pass-lowers={yes | no} - A password MUST contain lowercase characters.
• --pass-either={yes | no} - A password MUST contain lowercase or uppercase characters (including combinations).
• --pass-numbers={yes | no} - A password MUST contain numbers.
• --pass-specials={yes | no} - A password MUST contain special characters (i.e. non-alphanumeric).

The output of passwords to the report can be disabled and any encrypted passwords can be output to an external file for further analysis by other tools. The following are other password options:

• --no-passwords - Do not output passwords to the report, auditing will still take place.
• --john={filename} - Create an external file with the encrypted passwords (john-the-ripper format).
• --dictionary={dictionary file} - A dictionary file to test the passwords against.

ACL Auditing

As part of a security audit of your device configuration, Nipper will audit the Access Control Lists (ACL) and Access Control Entries (ACE). The audit is based on a network filtering policy which can be defined, otherwise Nipper will use its own builtin defaults.

The following command options can be used to enable checking for particular ACL configurations:

• --any-source - ACE MUST NOT allow access from any source.
• --network-source - ACE MUST NOT allow access from a network source.
• --source-service - ACE MUST NOT allow access from any source port.
• --any-destination - ACE MUST NOT allow access to any destination.
• --network-destination - ACE MUST NOT allow access to a network destination.
• --destination-service - ACE MUST NOT allow access to any destination port.
• --disabled-rules - NO disabled ACE.
• --log-rules - All ACE must log.
• --deny-log - A deny ACE MUST log.
• --log-deny-rules - ACL MUST end with a deny all and log.

Each setting can be reversed using a --no-{policy} instead of --{policy}.

The ACL can be output to a seperate CSV file for further analysis, you simply have to supply Nipper with the name of the CSV file you would like it to write to. This can be done using --csv=rulesfile.csv, where rulesfile.csv is the name of the CSV file.

Configuration File

All the settings described in this section and more can be configured using an external configuration file. On Linux and UNIX type systems this file is called nipper.conf and is typically stored in /etc. On Windows systems the file is called nipper.ini and will be automatically loaded from the current directory. These files are essentially the same and if not found Nipper will use internal default settings.

A specific external configuration file can be specified on the command line using --config={Config Filename}.

The file is self documenting and generally relates to the various command line options. The default configuration file can be downloaded from here.

Example Configurations

Listed below are example Cisco security appliance configurations and the reports that Nipper will generate from them.

• Cisco PIX pix.config - Nipper 0.11.5 report.