Assessing security posture of network devices like routers and firewalls can become a nightmare when a security practitioner is faced with tens of devices with hundreds (sometimes thousands) of lines of configuration data to go through. Manually going through the entire configuration data may not always be the right course of action especially when faced with tight deadlines.

There is help available and it comes in the form of automation tools that can make our life easier. I will discuss a couple of tools that I have worked with and how they can support in auditing and vulnerability assessment activities.

FireSec (v1.1), a Windows-based commercial application, is primarily targeted as a firewall rule base analysis tool for medium to large enterprises. FireSec is priced at US$1000 per installation and requires a SQL Server database access to function. MSDE or SQL Server 2005 Express Edition will work just fine.

FireSec comes strong on the features – supporting removal of redundant rules, grouping similar rules, and detecting potentially vulnerable rule patterns by means of analysis. All of this can be achieved for a wide range of firewall devices from Cisco, Juniper (NetScreen) and Secure Computing (CyberGuard). NII Consulting (India), the developers of FireSec also claim support for a generic ruleset allowing support for CheckPoint, Fortinet and others.

To get started, the device configuration file needs to be imported in to the SQL Server database which is handled by the application itself. The configuration file can be supplied as a flat text file and loaded as a “Firewall” in to FireSec. The loading process is slow as it took about five minutes to load a PIX configuration file with just over 900 lines of configuration data, on an above-average performance machine (2GB DDRII, Core2 Duo 2GHz, 160GB 7200RPM HDD). Once loaded, everything else is a breeze and there is good documentation supplied to walk you through the application.

Figure 1: FireSec GUI

FireSec sports a poor GUI though – main window cannot be maximized, left firewall selection pane cannot be adjusted and even worse is the progress bar that, at random, just stares at you even after processing the requested tasks. It took me a while to work my way through the various functions.

Interface issues aside, FireSec is a very capable product that can let you clean up your configuration (Figure 2), generate a comprehensive analysis report (Figure 3) and even do an analysis of how your rules perform against a given set of source and destination addresses (Figure 4). I was only able to test it with a PIX configuration and it worked as expected.

Figure 2: Generate commands based on given criteria

Figure 3: Report generation is limited to HTML format. Click here for a sample report.

Figure 4: Rule analysis

There is also a firewall comparison function that can assist in change management as well as ensuring rule base integrity and change management.

Overall, FireSec has lot of potential for improvement and I would be keeping my eye on it and watch it grow. For now, I have settled for open source alternatives.

Nipper (v0.11.8) is a cross-platform open source tool that processes network device configuration and generates a customizable report. Nipper reports device configuration details, vulnerabilities and recommendations for mitigating the risks. This command line tool supports a wide array of network devices:

Cisco Switches (IOS)
Cisco Routers (IOS)
Cisco Firewalls (PIX, ASA, FWSM)
Cisco Catalysts (NMP, CatOS, IOS)
Cisco Content Service Switches (CSS)
Juniper NetScreen Firewalls (ScreenOS)
CheckPoint Firewall-1/ VPN-1
Nortel Passport devices (Multiservice Switch- MSS)
SonicWALL SonicOS Firewalls
Bay Networks Accelar Routing Switch devices (now Nortel)
Nokia IP Firewalls

Nipper can take a flat ASCII text file as input for processing data or connect to the device directly and retrieve the configuration through SNMP. Unlike FireSec, Nipper does not import the configuration to a database and report generation is almost instant. I was able to test Nipper’s capabilities using a standard configuration from a Cisco IOS 12.3 router and a PIX 6.3 firewall device.

Figure 5: Using nipper for IOS router analysis

Figure 6: Using nipper for PIX firewall analysis

Within seconds of executing the above commands, Nipper was able to decode my Cisco Type 7 password for the IOS router, parse over 900 lines of PIX configuration and deliver a comprehensive report in the default HTML format (XML, Latex and ASCII text are supported too). Reports can further be customized and there is also an option to replace Nipper references with your own company name along with a range of other options.

Figure 7: HTML report for Cisco IOS router. Click here for the report

Figure 8 : HTML report for Cisco PIX firewall. Click here for the report

Nipper can even output Cisco type 5 passwords to an ASCII text file for later use of John the Ripper for brute force attack; a dictionary-file support is present too. Overall, a great tool and highly recommended!

Other tools to look at:

1. Firemon from Secure Passage that does configuration analysis as well as change management and more;
2. FTester from Inverse Path to test your firewall and IDS from a behavioral point of view and the Router;
3. Router Audit Tool (RAT) from Center for Internet Security that benchmarks router configuration against NSA recommended guidelines for security;
4. RedSeal Security Risk Manager (SRM) from RedSeal Systems is a comprehensive tool for overall network security assessment that can do firewall and router device assessments as well;

To sum up, the tools discussed above can greatly reduce the amount of time you would normally take to assess your network devices, however, I am not recommending that you do not do manual reviews to verify the results. I would never give precedence to a report generated by an automation tool over manual report. It all comes down to the nature of the assessment.

Share / Save