Networking

Audit your Cisco router's security with Nipper


While recently talking with a fellow network admin, I learned about Nipper. While there are many tools available to perform security audits of network devices, Nipper is unique. Let me show you why.

What is Nipper?

Short for Network Infrastructure Parser, Nipper is an open source network devices security auditing tool. One benefit of being open source is that it's free.

Previously known as CiscoParse, Nipper isn't especially polished, but it is very functional. It was easy to install and easy to use, and it did exactly what it said it would do.

Even more impressive is that it works with many different types of network devices (and not just Cisco). Here's a list of compatible network devices that Nipper can audit:

  • Cisco switches (IOS)
  • Cisco routers (IOS)
  • Cisco firewalls (PIX, ASA, FWSM) 
  • Cisco Catalyst switches (NMP, CatOS, IOS)
  • Cisco Content Service Switches (CSS)
  • Juniper NetScreen Firewalls (ScreenOS)

How do you use Nipper?

Nipper supports a lot of devices and boasts a ton of options, so I can't possibly demonstrate all that it can do. But I can give you a basic demonstration. For our example, we'll use Nipper to audit a Cisco router that has only the default configuration.

To begin, I took a Cisco 2600 Series router, cleared the configuration, and rebooted it. Then, the process of auditing the router begins.

First, download Nipper from SourceForge.net -- it's available for both Windows and Linux. Extract it to a folder on your local PC; let's call it C:\nipper.

Next, obtain a text version of the router's configuration file. Telnet or SSH to the router, use the show running-configuration command, copy and paste the output into Notepad, and save it to your local PC in the aforementioned C:\nipper directory.

Alternatively, you can use a TFTP server and copy the configuration to your local PC. For example, I tried this using Tftpd32.exe, and it was both quick and easy. Use the copy running-configuration tftp command.

Once you have the running configuration that you want to audit on your PC, go to the Windows command prompt, and CD into the Nipper directory. Run the following, as shown in Figure A:
nipper --ios-router --input=testrouterconfig.txt --output=audit.html

Figure A

Figure A

The system will immediately return you to the command prompt without providing any information. But don't worry -- it worked.

Next, open a Web browser and enter this URL: c:\nipper\audit.html. This will take you to the security report. Figure B offers a screenshot of the audit.

Figure B

Figure B

What does Nipper tell you?

Scrolling through this report, you'll see that Nipper provides security audit information such as:

  • A software version that has vulnerabilities and the reference numbers for those vulnerabilities
  • Recommendations to disable services that might cause others to be able to access the router
  • Commands that you need to enable to secure the router

For our example, Nipper told us that we need to do the following:

  • Upgrade the router's IOS needs to prevent vulnerability to a Telnet remote DoS attack and a TCP listener DoS attack.
  • Configure the service tcp-keepalives-in command to help prevent a DoS attack.
  • Configure timeouts on consoles to prevent anyone from gaining access to the router from a Telnet or console session.
  • Configure the HTTP service as secure with HTTPS, and enable authentication.
  • Enable logging.

In addition to several other recommendations, Nipper provided a summary of the device's configuration -- what services are turned on or off, status of the lines, status of the interfaces, DNS, time zone, and more. Check out the actual report from our example.

Considering that it's so small, simple, and free, Nipper is an amazingly powerful network device security auditing tool. For help with Nipper, run the C:\nipper\nipper -help command at the command prompt after you've downloaded, extracted, run the program.

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

13 comments
nacht
nacht

Nipper has been bought by a UK company called Titania and is no longer free.

ksuriamoorthy
ksuriamoorthy

Very cool tool !! Which prompted me to add it our open source network management tool ZipTie. Checkout the ZipTie-Nipper integration, a.k.a Zipper, at http://www.ziptie.org/ Also Fizz (the man behind nipper) has been extremely prompt in providing bug fixes and updates!!

parag.patil
parag.patil

This is Good Tool to do Router & Firewall Audit...But is the registered evrsion available for Nipper??I guess it's only OPEN source tool..Is there any other tool available for router & firewall audit other than Nipper & RAT and which can be procured??

Bryce White
Bryce White

I followed the instruction in the article and all I get back is an error about the wrong type of config file.

sarbab
sarbab

i will try nipper today.

babajideibiayo
babajideibiayo

Awesome tool... used it to audit my routers and i was amazed at the wealth of information. Thanks David

pfowler
pfowler

Thanks for showing that tool. I ran it on my Pix and it showed the configuration in a HMTL page that I can give my Manger. Sweet Tool.

apompliano
apompliano

Check out Refense Technologies' at www.refense.com. They have a free trial. Performs hundreds of security checks on-line, non-intrusively, and measures against dozen of pre-configured security policies like NSA, DISA, HIPAA, PCI-DSS, FISMA, etc. Identifies the secondary effects of miss-configurations and operating system vulnerabilities and provides mitigation action.

bill.friday
bill.friday

I ran nipper against my routers, firewalls and switches. Really good stuff!!! Since Cisco doesn't display default IOS settings (which is a security issue in and of itself) this tool points out running services that I was not aware of! The web output for complex switch/router configs with ACLs is a nice piece of documentation since it makes its easier to see what your config looks like. The command line interface is a plus so the tool can easily be scripted. Open source tools rule! MRTG and Nagios/Fruity are two of my favorites for Network monitoring. Thanks... Bill

vladimir.saltao
vladimir.saltao

I am running it on a bunch of configs ( routers and switches ) and it found some holes on them ( already fixed ) VS