29,713 views
Juniper : Netscreen/ScreenOS to HTML (ns2html) + audit your firewall config (nipper)
A short while ago, I came across 2 really nice tools that will help
– visualizing screenos configs into html pages
– auditing firewall configs
Converting screenos to html
The first tool, called ns2html, was developed by Rodrigo Pace de Barros and can be found at http://ns2html.sourceforge.net/
It is written in perl and both the .pl and the compiled version are part of the download package.
After downloading and extracting the zip file (I’m using the Windows version), you need to edit the config file, which can be found in the etc folder (ns2html.cfg)
Verify the “PUBLISH” and “BROWSER” path and save the file
Next, launch the ns2html.exe file (under bin)
Select your screenos config file, verify the output directory. Click “open rulebase in browser after generation?” and click generate.
Note : if you have previously converted a config file from the same firewall before, and are saving the files in the same folder, you will be prompted to overwrite the files in the small command-line window that sits behind the window dialog. When the process is complete, you’ll get a subfolder (name of the firewall) that contains a couple of html files and images. When you open the index page (index.
Life doesn’t get much easier than this… I wish there were more awesome tools like this. This is really a great tool for people who are looking to save their rulesets in a very user-friendly & readable format.
Audit your ruleset
A second tool I would like to talk about is “nipper”. This utility was written by Ian Ventura-Whiting and can be found at http://nipper.titania.co.uk . It is a Network Infrastructure Parser (hence the name NIPper) and will provide a nice friendly report containing a really nice audit report on your config file.
The tool supports a whole range of devices : Bay Networks, Cisco IOS, Cisco ASA, Juniper Netscreen, Nortel Passport, Nokia, SonicWall, …
After downloading and extracting the “all in one” package, you will see these files :
Edit the nipper.ini file with wordpad or notepad++ and go to the Report section. Set a Company Name and save the file.
When you run nipper /? or nipper –help, you’ll get a short help text :
_ ____ _ __ (_)_ __ _ __ ___ _ __ / ->/| | '_ \| | '_ \| '_ \ / _ \ '__| /<-_/ | | | | | | |_) | |_) | __/ | | | / |_| |_|_| .__/| .__/ \___|_| |___|/ |_| |_| CLI Version 0.12.0 http://nipper.titania.co.uk Copyright (C) 2006-2008 Ian Ventura-Whiting Nipper is a Network Infrastructure Configuration Parser. Nipper takes a network infrastructure device configuration, processes the file and produces a report which can include detailed a security audit and a configuration report. By default, input is retrieved from stdin and is output (in HTML format) to stdout. Command: nipper [Options] General Options: --input= |
Copy the screenos (or other compatible) config file into the folder and run
nipper –input=yourconfigfile.cfg –output=firewallaudit.html
If the tool has difficulties determining the type of device, you can specify the device using one of the following parameters :
CMD Option Device Type ==================================================== --auto Auto-Detect Device (Default) --3com-firewall 3Com SuperStack 3 Firewall --accelar Bay Networks Accelar --cp-firewall CheckPoint Firewall Module --cp-management CheckPoint Management Module --ios-router Cisco IOS-based Router --ios-catalyst Cisco IOS-based Catalyst Switch --pix Cisco PIX-based Firewall --asa Cisco ASA-based Firewall --fwsm Cisco FWSM-based Router --catos Cisco CatOS-based Catalyst --nmp Cisco NMP-based Catalyst --css Cisco Content Services Switch --procurve HP ProCurve Switches --screenos Juniper NetScreen Firewall --nokiaip Nokia IP Firewall --passport Nortel Passport Device --nortel-switch Nortel Ethernet Routing Switch 8300 --sonicos SonicWall SonicOS Firewall |
Try it – you’ll love it.
© 2009 – 2021, Peter Van Eeckhoutte (corelanc0d3r). All rights reserved.