Juniper : Netscreen/ScreenOS to HTML (ns2html) + audit your firewall config (nipper)

corelanc0d3r March 16, 2009
This article has 30,001 views

A short while ago, I came across 2 really nice tools that will help

– visualizing screenos configs into html pages

– auditing firewall configs

 

Converting screenos to html

The first tool, called ns2html, was developed by Rodrigo Pace de Barros and can be found at http://ns2html.sourceforge.net/

It is written in perl and both the .pl and the compiled version are part of the download package.

After downloading and extracting the zip file (I’m using the Windows version), you need to edit the config file, which can be found in the etc folder (ns2html.cfg)

Verify the “PUBLISH” and “BROWSER” path and save the file

Next, launch the ns2html.exe file (under bin)

image

Select your screenos config file, verify the output directory. Click “open rulebase in browser after generation?” and click generate.

Note : if you have previously converted a config file from the same firewall before, and are saving the files in the same folder, you will be prompted to overwrite the files in the small command-line window that sits behind the window dialog. When the process is complete, you’ll get a subfolder (name of the firewall) that contains a couple of html files and images. When you open the index page (index.<date>.html), you’ll get this

image

Life doesn’t get much easier than this… I wish there were more awesome tools like this. This is really a great tool for people who are looking to save their rulesets in a very user-friendly & readable format.

 

Audit your ruleset

A second tool I would like to talk about is “nipper”. This utility was written by Ian Ventura-Whiting and can be found at http://nipper.titania.co.uk . It is a Network Infrastructure Parser (hence the name NIPper) and will provide a nice friendly report containing a really nice audit report on your config file.

The tool supports a whole range of devices : Bay Networks, Cisco IOS, Cisco ASA, Juniper Netscreen, Nortel Passport, Nokia, SonicWall, …

After downloading and extracting the “all in one” package, you will see these files :

image

Edit the nipper.ini file with wordpad or notepad++  and go to the Report section. Set a Company Name and save the file.

When you run nipper /? or nipper –help, you’ll get a short help text :

                     _                           ____
               _ __ (_)_ __  _ __   ___ _ __    / ->/|
              | '_ \| | '_ \| '_ \ / _ \ '__|  /<-_/ |
              | | | | | |_) | |_) |  __/ |     |   | /
              |_| |_|_| .__/| .__/ \___|_|     |___|/
                      |_|   |_|

                         CLI Version 0.12.0
                    http://nipper.titania.co.uk
            Copyright (C) 2006-2008 Ian Ventura-Whiting

Nipper is a  Network Infrastructure  Configuration Parser.  Nipper takes
a network infrastructure  device configuration,  processes the  file and
produces  a report  which can  include detailed a  security audit  and a
configuration report.

By default, input is retrieved from stdin and is output (in HTML format)
to stdout.

Command:
    nipper [Options]

General Options:
    --input=<file>
    Specifies a  device configuration  file to  process.  For CheckPoint
    Firewall-1  configurations,  the  input should be the conf directory
    (or the database directory).

    --output=<file> | --report=<file>
    Specified an output file for the report.

    --version
    Displays the program version.

Example:
    The  example   below  will   process  a   Cisco   IOS-based   router
    configuration file called ios.conf  and output  the report to a file
    called report.html.

    nipper --ios-router --input=ios.conf --output=report.html

For additional help:
    --help[=<topic>]
    Show  the  online help  or show  the  additional  help on  the topic
    specified.  The help  topics  are;  GENERAL,  DEVICES,  DEVICES-ADV,
    SNMP,  REPORT, REPORT-ADV,  REPORT-SECT, REPORT-HTML,  REPORT-LATEX,
    AUDIT-ACL, AUDIT-PASS, AUDIT-ADV or CONFIG-FILE.

Copy the screenos (or other compatible) config file into the folder and run

nipper –input=yourconfigfile.cfg –output=firewallaudit.html

If the tool has difficulties determining the type of device, you can specify the device using one of the following parameters :

    CMD Option       Device Type
    ====================================================
    --auto           Auto-Detect Device (Default)
    --3com-firewall  3Com SuperStack 3 Firewall
    --accelar        Bay Networks Accelar
    --cp-firewall    CheckPoint Firewall Module
    --cp-management  CheckPoint Management Module
    --ios-router     Cisco IOS-based Router
    --ios-catalyst   Cisco IOS-based Catalyst Switch
    --pix            Cisco PIX-based Firewall
    --asa            Cisco ASA-based Firewall
    --fwsm           Cisco FWSM-based Router
    --catos          Cisco CatOS-based Catalyst
    --nmp            Cisco NMP-based Catalyst
    --css            Cisco Content Services Switch
    --procurve       HP ProCurve Switches
    --screenos       Juniper NetScreen Firewall
    --nokiaip        Nokia IP Firewall
    --passport       Nortel Passport Device
    --nortel-switch  Nortel Ethernet Routing Switch 8300
    --sonicos        SonicWall SonicOS Firewall

 

Try it – you’ll love it.



Similar/Related posts:

Default ThumbnailJuniper ScreenOS BGP Basics : a simple iBGP test case Default ThumbnailBacktrack 4 cheat sheet Default ThumbnailNessus/OpenVAS wrapper for ike-scan Default ThumbnailJuniper Firewall ScreenOS Basics (CJFV) Default ThumbnailUsing Active Directory and IAS based Radius for Netscreen WebAuth authentication

Tags:

© Corelan Consulting BV. All rights reserved. ​The contents of this page may not be reproduced, redistributed, or republished, in whole or in part, for commercial or non-commercial purposes without prior written permission. See the Terms of Use and Privacy Policy for details.

3 thoughts on “Juniper : Netscreen/ScreenOS to HTML (ns2html) + audit your firewall config (nipper)”

  1. I stumpled over this older article on the search for such tools. ns2html is working well for me. But unfortunately your link to nipper is broken. The correct link is https://www.titania-security.com/ and it seems to me, that nipper is now commercial.

Comments are closed.