id="info"

Networking

Audit your Cisco router's security with Nipper

While recently talking with a fellow network admin, I learned about Nipper. While there are many tools available to perform security audits of network devices, Nipper is unique. Let me show you why.

What is Nipper?

Short for Network Infrastructure Parser, Nipper is an open source network devices security auditing tool. One benefit of being open source is that it's free.

Previously known as CiscoParse, Nipper isn't especially polished, but it is very functional. It was easy to install and easy to use, and it did exactly what it said it would do.

Even more impressive is that it works with many different types of network devices (and not just Cisco). Here's a list of compatible network devices that Nipper can audit:

  • Cisco switches (IOS)
  • Cisco routers (IOS)
  • Cisco firewalls (PIX, ASA, FWSM) 
  • Cisco Catalyst switches (NMP, CatOS, IOS)
  • Cisco Content Service Switches (CSS)
  • Juniper NetScreen Firewalls (ScreenOS)

How do you use Nipper?

Nipper supports a lot of devices and boasts a ton of options, so I can't possibly demonstrate all that it can do. But I can give you a basic demonstration. For our example, we'll use Nipper to audit a Cisco router that has only the default configuration.

To begin, I took a Cisco 2600 Series router, cleared the configuration, and rebooted it. Then, the process of auditing the router begins.

First, download Nipper from SourceForge.net — it's available for both Windows and Linux. Extract it to a folder on your local PC; let's call it C:\nipper.

Next, obtain a text version of the router's configuration file. Telnet or SSH to the router, use the show running-configuration command, copy and paste the output into Notepad, and save it to your local PC in the aforementioned C:\nipper directory.

Alternatively, you can use a TFTP server and copy the configuration to your local PC. For example, I tried this using Tftpd32.exe, and it was both quick and easy. Use the copy running-configuration tftp command.

Once you have the running configuration that you want to audit on your PC, go to the Windows command prompt, and CD into the Nipper directory. Run the following, as shown in Figure A:
nipper —ios-router —input=testrouterconfig.txt —output=audit.html

Figure A

Figure A

The system will immediately return you to the command prompt without providing any information. But don't worry — it worked.

Next, open a Web browser and enter this URL: c:\nipper\audit.html. This will take you to the security report. Figure B offers a screenshot of the audit.

Figure B

Figure B

What does Nipper tell you?

Scrolling through this report, you'll see that Nipper provides security audit information such as:

  • A software version that has vulnerabilities and the reference numbers for those vulnerabilities
  • Recommendations to disable services that might cause others to be able to access the router
  • Commands that you need to enable to secure the router

For our example, Nipper told us that we need to do the following:

  • Upgrade the router's IOS needs to prevent vulnerability to a Telnet remote DoS attack and a TCP listener DoS attack.
  • Configure the service tcp-keepalives-in command to help prevent a DoS attack.
  • Configure timeouts on consoles to prevent anyone from gaining access to the router from a Telnet or console session.
  • Configure the HTTP service as secure with HTTPS, and enable authentication.
  • Enable logging.

In addition to several other recommendations, Nipper provided a summary of the device's configuration — what services are turned on or off, status of the lines, status of the interfaces, DNS, time zone, and more. Check out the actual report from our example.

Considering that it's so small, simple, and free, Nipper is an amazingly powerful network device security auditing tool. For help with Nipper, run the C:\nipper\nipper -help command at the command prompt after you've downloaded, extracted, run the program.

David Davis has worked in the IT industry for 12 years and holds several certifications, including CCIE, MCSE+I, CISSP, CCNA, CCDA, and CCNP. He currently manages a group of systems/network administrators for a privately owned retail company and performs networking/systems consulting on a part-time basis.

Want to learn more about router and switch management? Automatically sign up for our free Cisco Routers and Switches newsletter, delivered each Friday!

Editor's Picks