Re: Nipper and Cisco configuration results
I did see a few false positives too with Nipper. What do you think about Router Audit Tool (RAT) instead? I downloaded ncat (aka RAT), but it does not have a global configuration file which I can use for all the routers and switches I have. Any tips on ncat/RAT configuration? I could not find any examples on using ncat. Subba Rao --- On Fri, 4/3/09, Christopher <chrismcc@pricegrabber.com> wrote: From: Christopher <chrismcc@pricegrabber.com> Subject: Re: Nipper and Cisco configuration results To: "nanog" <nanog@nanog.org> Date: Friday, April 3, 2009, 12:36 PM On Thu, 2009-04-02 at 15:33 -0700, Subba Rao wrote:
I am using Nipper for verifying my Cisco configuration. Nipper is finding the "rlogin" service that is not in the configuration. I have searched the access lists and do not see it anywhere. The explanation by Nipper about this finding, "....Telnet protocol implemented by this service...." is confusing.
The problem, IMHO, is nipper. You might or might not have the rlogin service enabled, but nipper has so many false positives I find is almost useless. In my case, it caught some obvious things I had forgotten to do, but everything else was useless. For instance from the nipper source code: struct vulnerability report_vuln_ios11 = {9, 0, 0, 12, 4, 0, "CVE-2007-0479", "22208", "IPv4 TCP listener denial of service", true, false, vuln_req_none, false, &report_vuln_ios12}; What the above means to nipper is any IOS version 12.0.x, 12.1.x, 12.2.x, 12.3.x is vulnerable, while every 12.4.x version is OK. This is obviously false on *both* counts. http://www.cisco.com/en/US/products/products_security_advisory09186a00807cb0... I spent a lot of time trying to explain this to $corporate audit guy that had never even logged into a router, let alone had to choose a stable IOS version for 6500/7600 class hardware.
Here is the Nipper's output:
<snip>
Thank you in advance for any help.
Subba Rao -- Christopher McCrory "The guy that keeps the servers running"
chrismcc@pricegrabber.com http://www.pricegrabber.com To the optimist, the glass is half full. To the pessimist, the glass is half empty. To the engineer, the glass is twice as big as it needs to be.
On 4/3/09, Subba Rao <castellan2004-nsm@yahoo.com> wrote:
I did see a few false positives too with Nipper. What do you think about Router Audit Tool (RAT) instead?
RAT is the approved IOS security audit tool at $work, so it doesn't matter what I think about it :) But it is fairly nice ... as long as you keep in mind it's limitations. I looked at Nipper a while back; it had some nice features but not enough to keep me from uninstalling it. The problem I have with both RAT and Nipper is they're geared towards security and I'm more interested in verifying that the routers are configured correctly. What kind of tools are people using for that? For an example of the type of thing I'm interested in, see filter_audit in the presentation at http://www.nanog.org/mtg-0210/abley.html
I downloaded ncat (aka RAT), but it does not have a global configuration file which I can use for all the routers and switches I have.
Works for me.. just remember that RAT is pretty old & fails miserably on things like 6500s that are both routers and switches. So figure out what's common to all your routers and configure RAT to check that set of parameters. Then create another RAT config for L2/L3 switches that doesn't check as much (eg. don't check for proxy-arp being disabled) Regards, Lee
The problem I have with both RAT and Nipper is they're geared towards security and I'm more interested in verifying that the routers are configured correctly. What kind of tools are people using for that? For an example of the type of thing I'm interested in, see filter_audit in the presentation at http://www.nanog.org/mtg-0210/abley.html
Homebrew: pull configs on a regular basis. Decompose monolithic configs into a file tree of "configlets." Diff configlet tree against peer and template devices. "Invert" device specific configlet tree into element specific tree. This helps diffs stand out for config elements that should be consistent. Put it all into a git repository for revision control. Run git-web for the user interface. Catches most of the obvious stuff, and gives a nice history of changes. The configlet tree also gets used for "grep | xarg" style pipelines for automation scripts. Would like to improve the diff process to mask out common information (ip address, hsrp priority etc.) This would help reduce the amount of diff noise for interfaces. We looked at free (RANCID, Ziptie) and expen$ive (Opsware) but none of them really did what we wanted. Tim:>
participants (3)
-
Lee -
Subba Rao -
Tim Durack