«
»

You are here :
Blog > 001_Security > Juniper : Netscreen/ScreenOS to HTML (ns2html) + audit your firewall config (nipper)

Your Ad Here

Juniper : Netscreen/ScreenOS to HTML (ns2html) + audit your firewall config (nipper)

March 16th, 2009 | Author: Peter Van Eeckhoutte
Viewed 8,910 time(s) | LoadingAdd this post to Your Favorite Posts | Print This Post |

A short while ago, I came across 2 really nice tools that will help

- visualizing screenos configs into html pages

- auditing firewall configs

 

Converting screenos to html

The first tool, called ns2html, was developed by Rodrigo Pace de Barros and can be found at http://ns2html.sourceforge.net/

It is written in perl and both the .pl and the compiled version are part of the download package.

After downloading and extracting the zip file (I’m using the Windows version), you need to edit the config file, which can be found in the etc folder (ns2html.cfg)

Verify the “PUBLISH” and “BROWSER” path and save the file

Next, launch the ns2html.exe file (under bin)

image

Select your screenos config file, verify the output directory. Click “open rulebase in browser after generation?” and click generate.

Note : if you have previously converted a config file from the same firewall before, and are saving the files in the same folder, you will be prompted to overwrite the files in the small command-line window that sits behind the window dialog. When the process is complete, you’ll get a subfolder (name of the firewall) that contains a couple of html files and images. When you open the index page (index.<date>.html), you’ll get this

image

Life doesn’t get much easier than this… I wish there were more awesome tools like this. This is really a great tool for people who are looking to save their rulesets in a very user-friendly & readable format.

 

Audit your ruleset

A second tool I would like to talk about is “nipper”. This utility was written by Ian Ventura-Whiting and can be found at http://nipper.titania.co.uk . It is a Network Infrastructure Parser (hence the name NIPper) and will provide a nice friendly report containing a really nice audit report on your config file.

The tool supports a whole range of devices : Bay Networks, Cisco IOS, Cisco ASA, Juniper Netscreen, Nortel Passport, Nokia, SonicWall, …

After downloading and extracting the “all in one” package, you will see these files :

image

Edit the nipper.ini file with wordpad or notepad++  and go to the Report section. Set a Company Name and save the file.

When you run nipper /? or nipper –help, you’ll get a short help text :

                     _                           ____
               _ __ (_)_ __  _ __   ___ _ __    / ->/|
              | '_ \| | '_ \| '_ \ / _ \ '__|  /<-_/ |
              | | | | | |_) | |_) |  __/ |     |   | /
              |_| |_|_| .__/| .__/ \___|_|     |___|/
                      |_|   |_|

                         CLI Version 0.12.0

http://nipper.titania.co.uk

            Copyright (C) 2006-2008 Ian Ventura-Whiting

Nipper is a  Network Infrastructure  Configuration Parser.  Nipper takes
a network infrastructure  device configuration,  processes the  file and
produces  a report  which can  include detailed a  security audit  and a
configuration report.

By default, input is retrieved from stdin and is output (in HTML format)
to stdout.

Command:
    nipper [Options]

General Options:
    --input=<file>
    Specifies a  device configuration  file to  process.  For CheckPoint
    Firewall-1  configurations,  the  input should be the conf directory
    (or the database directory).

    --output=<file> | --report=<file>
    Specified an output file for the report.

    --version
    Displays the program version.

Example:
    The  example   below  will   process  a   Cisco   IOS-based   router
    configuration file called ios.conf  and output  the report to a file
    called report.html.

    nipper --ios-router --input=ios.conf --output=report.html

For additional help:
    --help[=<topic>]
    Show  the  online help  or show  the  additional  help on  the topic
    specified.  The help  topics  are;  GENERAL,  DEVICES,  DEVICES-ADV,
    SNMP,  REPORT, REPORT-ADV,  REPORT-SECT, REPORT-HTML,  REPORT-LATEX,
    AUDIT-ACL, AUDIT-PASS, AUDIT-ADV or CONFIG-FILE.

Copy the screenos (or other compatible) config file into the folder and run

nipper –input=yourconfigfile.cfg –output=firewallaudit.html

If the tool has difficulties determining the type of device, you can specify the device using one of the following parameters :

    CMD Option       Device Type
    ====================================================
    --auto           Auto-Detect Device (Default)
    --3com-firewall  3Com SuperStack 3 Firewall
    --accelar        Bay Networks Accelar
    --cp-firewall    CheckPoint Firewall Module
    --cp-management  CheckPoint Management Module
    --ios-router     Cisco IOS-based Router
    --ios-catalyst   Cisco IOS-based Catalyst Switch
    --pix            Cisco PIX-based Firewall
    --asa            Cisco ASA-based Firewall
    --fwsm           Cisco FWSM-based Router
    --catos          Cisco CatOS-based Catalyst
    --nmp            Cisco NMP-based Catalyst
    --css            Cisco Content Services Switch
    --procurve       HP ProCurve Switches
    --screenos       Juniper NetScreen Firewall
    --nokiaip        Nokia IP Firewall
    --passport       Nortel Passport Device
    --nortel-switch  Nortel Ethernet Routing Switch 8300
    --sonicos        SonicWall SonicOS Firewall

 

Try it – you’ll love it.

© 2009, Peter Van Eeckhoutte. All rights reserved. Terms of use are applicable to this document.

Posted in 001_Security, Juniper, Scripts | Tags: , , , , , , , , , , ,


Related Posts:

Leave a comment

You must be logged in to post a comment.


Meet me at Brucon 2010
Meet me at Brucon 2010 !

Corelan Team Merchandise
You can support Corelan Team by donating or purchasing items from the official Corelan Team merchandising store.

Peter says:
« All of the info and all tools on this blog are free. Keeping this blog in the air is quite expensive.
So if you like what I do and want to show your respect for my work, please consider donating (use the Donate link above)

There is no way I can keep this site up and running without your help.


»     ...     « If you have enjoyed a certain post or like one of my tools, don't forget to vote/rate it !

»     ...     « If you have questions about certain posts, content or tools published on this website, then please use the forums to post questions. Don't write your questions in the Comments section.

»     ...     « If you want to be the first to know about new posts/tools/tutorials on this blog, then subscribe to the mailinglist. Use the 'Subscribe to updates via email' link below (in the Stay posted section)

»
Your profile
Stay posted
Categories


Terms of Use | Copyright © 2008-2010 Peter Van Eeckhoutte´s Blog. All Rights Reserved.
Your IP address : 38.107.191.114 | 58 queries. 1.703 seconds | www.corelan.be - artemis.corelan.be | Uptime Report