Upload
-
View
226
Download
0
Embed Size (px)
Citation preview
8/8/2019 Cisco Security Guide 1.0
http://slidepdf.com/reader/full/cisco-security-guide-10 1/9
Using Nipper With Cisco Security Applicances(ASA, FWSM And PIX)
User Guide
8/8/2019 Cisco Security Guide 1.0
http://slidepdf.com/reader/full/cisco-security-guide-10 2/9
Using Nipper With Cisco Security Applicances (ASA, FWSM And PIX)
Version Information
Record of Changes
Issue Date Detail of changes
1.0 6th July 2009 Initial version
Copyright Titania 2009 Page i
8/8/2019 Cisco Security Guide 1.0
http://slidepdf.com/reader/full/cisco-security-guide-10 3/9
Using Nipper With Cisco Security Applicances (ASA, FWSM And PIX)
Contents
Version Information i
Contents ii
1 Introduction 1
2 Getting The Configuration 2
2.1 Using ASDM And PDM 2
2.2 Using TFTP 3
2.3 Using SSH, Telnet Or The Console 4
3 Using Nipper 5
3.1 Nipper One 5
3.2 Nipper Command Line Tool 5
4 Support 6
4.1 On-Line 6
Copyright Titania 2009 Page ii
8/8/2019 Cisco Security Guide 1.0
http://slidepdf.com/reader/full/cisco-security-guide-10 4/9
Using Nipper With Cisco Security Applicances (ASA, FWSM And PIX)
1 Introduction
This guide is intended to be a device specific supplement to the “Getting Started With Nipper
1.0” user guide. This document specifically focuses on Cisco Security Appliances such asASA, FWSM and PIX devices. The guide highlights different methods you can employ in order
to extract the configuration from your Cisco device and then how to use that configuration file
with Nipper to generate a security audit of your device.
Cisco provide a range of detailed technical documents for their devices which can be
downloaded from the Cisco web site at: http://www.cisco.com.
Copyright Titania 2009 Page 1
8/8/2019 Cisco Security Guide 1.0
http://slidepdf.com/reader/full/cisco-security-guide-10 5/9
Using Nipper With Cisco Security Applicances (ASA, FWSM And PIX)
2 Getting The Configuration
There are multiple ways that you can extract the configuration from your Cisco Security
Appliance, this section outlines just three of those.
Your configuration should be treated as sensitive information, just like your personal details
should be considered as sensitive information. For that reason we would recommend that the
configuration should be transfered using an encrypted connection in order to help prevent it
from being leaked. We recommend that you use either ASDM, PDM, SSH or a direct console
connection to the device in order to get the configuration.
More information on extracting your devices configuration can be found in your devices
documentation.
2.1 Using ASDM And PDM
The ASDM and PDM interfaces can be accessed using a web browser with Java capabilities.Whether you have access to ASDM or PDM will depend on your security appliance (and its
age), but the procedure is the same for both. The procedure for getting the configuration from
the your device is as follows:
1. Using your favorite web browser, connect to the HTTPS service provided by your Cisco
device for remote management. You can do this by entering https:// followed by
your devices IP address.
2. On ADSM-capable devices, click on the “Run ADSM as a Java Applet” button.
3. Logon using your administration username and password.
4. You should now see the ADSM or PDM application, both of which are shown in the
screens below.
5. You can show the “running-config” using the option on the File menu.
6. Copy and paste the configuration into a file to use with Nipper.
Cisco ASDM:
Copyright Titania 2009 Page 2
8/8/2019 Cisco Security Guide 1.0
http://slidepdf.com/reader/full/cisco-security-guide-10 6/9
Using Nipper With Cisco Security Applicances (ASA, FWSM And PIX)
Cisco PDM:
2.2 Using TFTP
We don’t recommend using TFTP to transfer your configuration due to weaknesses in the
protocol, the other methods described in this section are more secure. However, here is the
procedure for using TFTP:
1. Connect to the Cisco device using SSH, Telnet, ASDM, PDM or through a Consoleconnection.
2. Login to your Cisco PIX device.
3. Transfer the configuration using the TFTP command write net
<ip-address>:<filename>
Copyright Titania 2009 Page 3
8/8/2019 Cisco Security Guide 1.0
http://slidepdf.com/reader/full/cisco-security-guide-10 7/9
Using Nipper With Cisco Security Applicances (ASA, FWSM And PIX)
2.3 Using SSH, Telnet Or The Console
For this procedure you will be using the Command Line Interface (CLI) of your Cisco device
using an SSH client (such as OpenSSH or Putty), Telnet or through the console port. We
would recommend using either SSH (for remote connections) or using a direct connection tothe console port. Telnet provides no encryption of the communications and therefore your
authentication credentials and configuration would be vulnerable if a malicious user were to
monitor your connection.
Use the following procedure to obtain a copy of the configuration file:
1. Connect to the Cisco using your favorite SSH client, Telnet or a direct console
connection.
2. Logon using your administration authentication credentials.
3. Enter enable and type in your enable password.
4. Execute the following CLI command and capture the output (possibly using the cut and
paste facility):show run
5. Save the captured output to a file and remove any visible page lines (i.e. –More–).
Copyright Titania 2009 Page 4
8/8/2019 Cisco Security Guide 1.0
http://slidepdf.com/reader/full/cisco-security-guide-10 8/9
Using Nipper With Cisco Security Applicances (ASA, FWSM And PIX)
3 Using Nipper
3.1 Nipper One
From the Nipper One main screen select, depending on your device, the “Cisco Security
Appliance (ASA)”, “Cisco Security Appliance (FWSM)” or “Cisco Security Appliance (PIX)”
device type from the drop down list. Select your configuration file, in the screenshot below the
configuration was saved in a file called myconfig.txt.
Once you are ready, click the “Go” button and the security audit will be performed and a report
will be shown on your screen.
3.2 Nipper Command Line Tool
You can specify that the configuration file is from a Cisco Security Appliances using the -asa,
-fwsm or -pix command line options. For example if your configuration was saved in a file
called myconfig.txt, you could generate a report using the following commands:
For ASA devices:
nipper --asa --input=myconfig.txt --output=myreport.html
For FWSM devices:
nipper --fwsm --input=myconfig.txt --output=myreport.html
For PIX devices:
nipper --pix --input=myconfig.txt --output=myreport.html
Copyright Titania 2009 Page 5
8/8/2019 Cisco Security Guide 1.0
http://slidepdf.com/reader/full/cisco-security-guide-10 9/9
Using Nipper With Cisco Security Applicances (ASA, FWSM And PIX)
4 Support
4.1 On-Line
The Titania web site (http://www.titania.co.uk) has a support section that includes
documentation, updates, frequently asked questions (FAQ), forums and more. If you have
any feature requests or identify any bugs, these can be added to the Titania Bugzilla system.
You will then be notified by email of any changes made to your entries or those that you are
monitoring.
Copyright Titania 2009 Page 6