Are there any automated tools for auditing config files exported from Cisco IOS devices? Free/Open Source is always nice, but anything that does the job would be of interest.
Asked
Active
Viewed 2.2k times
6 Answers
5
Cisco's own SDM (Security Device Manager) performs some basic auditing. "Cisco SDM allows users to perform one-step security audits to evaluate the strengths and weaknesses of their router configurations against common security vulnerabilities." For a list of features included, see AutoSecure Features Implemented in Cisco SDM .
Another well-known tool is Cisco RAT, available from the Center for Internet Security.
These are good starting points, but far from perfect.
A more recent option (which I haven't tried yet) is the Nessus IOS plugin from Tenable.
More ad hoc (single-function) tools can be found at
http://packetstormsecurity.org/cisco/page1/
and
http://www.cymru.com/Tools/index.html
jgbelacqua
- 281
- 2
- 5
4
You can also check out Nipper (http://www.titania.co.uk/)
Nipper enables you to perform your own comprehensive security audits of your network devices. Nipper supports around 60 different network firewalls, switches and routers from a wide range of manufacturers such as Cisco, HP, Juniper, Check Point and Extreme Networks.
It's cheap: $85 for evaluating 5 devices (home license).
Tate Hansen
- 13,714
- 3
- 40
- 83
3
HP Network Automation is what we use. It's commercial software but works great.
3
For devices with ACLs you should try Tufin SecureTrack.
It reads in the running config file and allows you to perform various kinds of analysis such as ACL overlap report, finding ACLs that match certain access patterns, for example ACLs allowing access from one zone to another etc.
pinto
- 131
- 1
2
CiscoConfParse (download link) is an open-source audit toolset that lets you express the audit as Python code. Disclaimer: I am the author.
License: GPL
Mike Pennington
- 167
- 1
- 11
