March 14, 2008 at 11:30 am #2197
just spent the morning playing with a little application called Nipper (http://www.titania.co.uk/nipper.php) so I thought I’d share my experiences.
From the site:
Nipper performs security audits of network device configuration files. The report produced by Nipper includes; detailed security-related issues with recommendations, a configuration report and various appendices. Nipper has a large number of configuration options which are described on this page.
The current version is 0.11.5, whilst I was initially put off by the low (0.) version number it seems to be stable and feature rich. From the changelog the project has been active for over a year and appears to be quite actively developed.
From an external testing viewpoint it isn’t going to be much use as it requires a copy of the relevant devices configuration to run. However it could speed up a second stage infiltration if this can be obtained via other methods, such as SolarWinds configuration retrieval tool for cisco devices if an SNMP community with read/write privileges can be obtained. Obviously, those auditing their own networks shouldn’t have this problem.
Nipper appears to be a useful tool from an auditing perspective, it investigates the device from a number of different aspects, producing a nicely written and readable report for output (HTML format by default). From the configurations I’ve run through it so far seem to indicate that I may spend the rest of the day researching the findings whilst completing weakness report forms and change requests :'(
So far I’ve only been able to test Nipper’s abilities with Cisco IOS switch and router devices. Nipper boasts abilities to function with a broad range of Cisco devices along with most major firewall manuacturers (Juniper, Checkpoint, Nortel and SonicWall). If anyone has used Nipper for other devices I would be interested to know how the functionality compares, especially as the site states “Please note that the level of support for each type of device varies.”
Overall seems like I nice tool that I’m going to keep around in my bag of tricks for the time being.
March 14, 2008 at 1:15 pm #16809pseud0Participant
Sounds interesting. Did you get any impression as to whether if affects the stability or responsiveness of the network devices that it is testing? That’s the second question we always get asked about these various testing tools. The questions usually go, “How accurate is it? Oh, and will it break our stuff?”
March 14, 2008 at 1:28 pm #16810
Nipper works offline on a configuration file. In my case I’ve been playing with Cisco devices, all I’ve done is supply a text file holding the configuration (usually generated using the show running-config command) on the commandline, for example:
nipper.exe –iso-switch –input=someDevice.conf –output=someDevice-report.html
This way the routine doesn’t interact with the device in any way, so can’t cause it to fall over or reduce network performance. From reading the documentation it is possible to pull the config from Cisco devices using SNMP strings or TFTP servers, but I won’t go down this route as the alternative is fairly simple and cannot effect the clients equipment in anyway.
Avoids the ‘everythings dead! What have you done?’ questions 😉
March 14, 2008 at 1:34 pm #16811
Quick disclaimer, I have not used the tool, I’m basing my observations on information that was on the website:
My concern was that I could not find any information on what the tool bases the audit results on? I always had great results using CIS RAT. Their benchmark guide is detailed and fairy well written. A person auditing an IOS/PIX device has access to details of the recommendation made by the tool, not just pass or fail.
pseud0, if you are concerned about this particular tool’s impact on the audit device (as we all are with any audit tool) best option is to save config file and run audit on a file instead of pulling it directly from the device.
March 14, 2008 at 2:00 pm #16812
from using Nipper the report is fairly self explanatory. For each potential issue that it finds it provides:
- Observation(Reason why X is an issue)
- Impact of issue
- Ease of which issue could be exploited
- Basic recommendations for a fix
The key part is ‘potential’ issues, whilst the tool has provided me with a number of avenues to look at increasing the security of my setup there are several issues that are flagged that can be ignored if you know and understand your environment. For example, an issue that appears in the report is that the SNMP password is not complex enough. However, as the SNMP access is tightly controlled via ACLs this isn’t as much of an issue in my environment as it might be elsewhere.
As with most tools, don’t just go blindly following the advice of the report without first understanding the issues fully.
I haven’t come across the CIS RAT tool before, I’ve just had a quick look at their website and there appears to be a lot of legalise that you’r required to read/accept before getting access to the tool, along with the benchmarking information documents.
Do you know if there is anyway (I could have missed the relevant section on the site) to access the documentation without giving away my life story first?
March 14, 2008 at 2:32 pm #16813
Thanks for the update RoleReversal,
Iit would be curious to run both tools on the same config and compare the results. I tend to think of the CIS as sort of a “standard” or “best practices” for benchmarks… from their website:
How are the CIS Benchmarks created?
The CIS Benchmarks are created through a consensus based process involving dozens or hundred of experts from around the world and each of the three major sectors: government, private industry, and academic institutions.
These experts meet virtually through email lists and teleconferences facilitated by CIS to discuss security configuration recommendations that comprise a CIS Benchmark. Because agreement doesn’t always come easy, this process can take anywhere from weeks to months.
In the end, this unique process helps to create comprehensive security guidance that is applicable to a wide audience.
As far as your other question goes, you have to fill provide name, email and accept TOUA before download. Although email address or personal info is NOT verified (by confirmation email or otherwise). You get access to download right away.
March 14, 2008 at 3:18 pm #16814
I would be curious to run both tools on the same config and compare the results.
Agreed, assuming nothing comes up in the meantime I intend to try CIS RAT at the weekend. I’ll run through with the same config for each tool and try to get a comparison.
I’ll update my findings as I get more
March 14, 2008 at 4:07 pm #16815
Sorry for replying to my own post, I managed to do a quick comparison sooner than expected. (Don’t you love quite Fridays? ;D ).
I’ve just ran the CIS Router Audit Tool (RAT) using the same configuration I initially used with Nipper. Mostly both tools came back with the same set of potential weaknesses. So unless they both missed the same issue the coverage appears to be similar with each tool.
The report created by RAT is shorter and more concise than Nipper’s although part of that is achieved by hiding some information on hyperlinked pages. (Config file your testing needs to be in the same directory as the rat binary or the links won’t work).
As well as listing weaknesses RAT assigns each issue a priority and determines a % score based on which tests you pass or fail. I’m not sure I like having metrics like this as anything that isn’t 100% secure is vulnerable to something, and despite what the value says nothing is 100% secure.
As I touch on the SNMP aspects of the report with Nipper I’ll do the same for RAT. As with Nipper, RAT complained that I didn’t have snmp disabled, and failed me on failed me on 4 tests because I had multiple lines with the string ‘snmp-server’ (snmp-server community foo; snmp-server location bar etc.).
A feature that RAT implements that isn’t fully available with Nipper is that it generates a Cisco command file to run against the device that will ‘fix’ every security issue with the device. Whilst I’m sure this could be a time saver in many scenarios, if I had blindly run this file against my device I would have lost a lot of functionality that I actually need. Again using SNMP for an example, it is utilised for statistic gathering and most importantly monitoring the state of the device.
As I said with my review of Nipper, don’t just follow the advice and fixes without understanding the impact they will have on your network, unless you fancy a world of hurt 😉
Overall, I quite like both tools and each has advantages over the other. Mostly it will come down to personal preference, which tool you know better and can better interpret the findings. Personally, I think I’ll hang on to both for some cross checking.
March 14, 2008 at 4:10 pm #16816pseud0Participant
Thanks for the info guys. I didn’t realize this was an out of band tool. More for use in auditing than vulnerability assessments, but I’ll play with it this weekend to see what it can do.
March 14, 2008 at 5:49 pm #16817
Kudos on a nice comparison writeup RR!
April 28, 2008 at 5:14 am #16818AnonymousParticipant
yeah.. its good tool for security assessment…for newbie also..
June 19, 2008 at 4:04 am #16819rdkumarjParticipant
As per the above comparison and when i tried that , even i felt both the tools are doing good , But Nipper is bit Elaborate on information whatever it shows…
Thanks for introducing these tools anyway …
- You must be logged in to reply to this topic.