Monday, 17 February 2014

Advanced Nipper Studio Configuration

Ian Whiting and Edwin Bentley

About the Authors

Ian Whiting, Titania CEO and Creator of Nipper Studio
Ian has been working with leading global organizations and government agencies to help improve computer security for more than a decade. He has previously been accredited by CESG for is security and team leading expertise for over 5 years. In 2009 Ian Whiting founded Titania with the aim of producing security auditing software products that can be used by non-security specialists and provide the detailed analysis that traditionally only an experienced penetration tester could achieve.

Edwin Bentley, Software Developer at Titania
Edwin joined Titania in 2011 and has since become a key member of development team, having primary involvement in advancement of both the Nipper Studio and Paws Studio software. He has a keen interest in Information Security and the role that the industry will play in the future advancement of technologies.


Nipper Studio contains a wealth of configuration options to modify and customize the audits that are produced. This article covers how to access and modify those settings to enable you to fine tune your own audit reports.

To start, it is worth mentioning that Nipper Studio settings are “sticky” by default. Therefore if you set an option in the graphical environment, that option will remain set next time you run Nipper Studio. This is also true of the command line version, setting an option in the graphical environment will set the option for the command line as well.

To access the settings on Windows you select “Options” from the “Tools” menu (on Linux this is called “Settings” and on the Mac it is called “Preferences”; see Figure 1). 

Figure 1. Nipper Studio main frame

Due to the number of different customization and configuration options available, the settings window categorizes the settings in to the following groups (see Figure 2):

• Global – These settings affect all areas of Nipper Studio and contain options such as changing the company name used in the report, the formatting of dates and whether passwords should be shown in the output. This section also contains an option labelled “Auto Save Settings”. This is the option that makes Nipper Studio settings sticky.

• Devices – Nipper Studio supports over 100 different network devices and some devices have options that modify how they process a configuration. For example, Check Point configurations can contain multiple policies and options are available to determine how multiple policies are handled.

• Reports – You can create a number of different audit report types in Nipper Studio, with more report types coming soon. These report options enable you to configure the settings for each of the report types. For example, you may want to modify the audit password length checked during a security audit.

• Saving – As with report types, Nipper Studio also supports a wide variety of different file formats that a report can be saved as. For example, the HTML report fonts, colors or entire Cascading Style Sheet (CSS) can be modified using these settings.


Figure 2. Nipper Studio setting options
The best practice security audit report is the most common type of report created in Nipper Studio, so I will guide you through the configuration of those options. These can be accessed by selecting the “Reports” icon on the left and then selecting the “Settings” button next to the “Security Audit” entry. 

On platforms that include the “?” icon in the window title, you can gain additional help on the various options by selecting the “?” icon and then clicking on the option that you would like more information on. Additionally, the options also include “tool tip” help that appears when you hover your mouse over an option.


Coverage


Due to the large number of different configuration options available for each report type, they have been sectioned into tabs to make them easier to navigate. First off there is the “Coverage” tab, this is where you can select or deselect the different categories of configuration settings that you would like included within your audit report. For example, you may only be interested in auditing firewall rules, so you could deselect everything except the “Audit Network Filtering” option (see Figure 3).


Figure 3. Setting audit areas


Reporting


On the reporting tab you can select various options relating to how the security audit is reported. For example any identified security audits issues can be scored using one of two different rating systems. The Nipper v1 (default) rating system is a best-practice rating system. Alternatively you could select the industry standard CVSS v2 rating system that is a vulnerability scoring system (see Figure 4).


Figure 4. Reporting
If you choose to select the CVSS v2 rating system you can enter your own environmental metrics so that the scores are modified to take in to account your own environment. You can find out more information on the CVSS v2 rating system at: http://www.first.org/cvss/cvss-guide.html


Filtering


The filtering tab includes options to modify how firewall rules and objects are checked. These include options to enable checks against certain categories of firewall rules, rule complexity and more (see Figure 5).


Figure 5. Filtering (firewall rules modifications)
You can enable the filter rules to be audited even if filter rules have been disabled on a particular device. Your own environment may separate functionality between different classes of device, so you can also prevent firewall rules from being processed on certain types of device (such as print servers and application switches, see Figure 6).


Figure 6. Filtering (devices)
Nipper Studio contains a number of black lists. If a firewall rule is identified which permits traffic that matches a black list entry, an issue is reported. The black lists include unencrypted clear text services, administrative services and hosts. You can modify each of those black lists by clicking on the “Define…” button next to each one (see Figure 7).


Figure 7. Filtering (black lists)

As briefly mentioned earlier, Nipper Studio includes a number of rule complexity checks. These checks are disabled by default as they add to the time taken to create the audit. If you are interested in identifying firewall rules that contradict or overlap with other firewall rules, then this functionality can be enabled here. On large and complex rule bases, especially those from Check Point devices, the complexity checks can add a number of minutes to the audit process.


User Policy and Passwords


Although not all network devices include all the functionality that is checked during the security audit, where an insecure configuration is identified it is reported. The user policy tab includes options for password retention, account lockout and timeouts (see Figure 8).


Figure 8. User policy

Nipper Studio includes a number of advanced high performance crypto routines that are able to reverse passwords that have been encrypted using a number of different algorithms. These deciphered passwords can then be assessed against the password policy. Any non-reversed passwords can be saved out to a file for brute-forcing using a tool such as John the Ripper (http://www.openwall.com/john/). 

The passwords tab includes options for determining how the password complexity checks are performed against the known passwords. For options where a numerical value is specified, help text will also offer a guide as to what is considered more secure. For example the greater the number of characters in a password, the more secure it will be (see Figure 9).


Figure 9. Passwords


Vulnerability and Misc


The vulnerability tab enables you to configure the software version vulnerability analysis performed against a particular device. Generally the vulnerability analysis performed compares the version information contained within the configuration against the version detailed in the device configuration. However the software version can only be partially detailed in the configuration and sometimes not detailed at all. In those cases Nipper Studio makes a guess as to the version. This can lead to the reporting of false positives, so the wording in the reported issue is suitably adapted to highlight those details (see Figure 10).
Figure 10. Vulnerability
You can specify the version details when processing a configuration in order to filter out some false positives, and you could include the “show version” (or equivalent) output in the configuration. Additionally there is a “Vulnerability Filtering” option that helps to filter out the vulnerability list further based on the services and protocols configured. So if the vulnerability is specific to SSH and you have disabled that service then it is not reported.

Finally, the misc tab includes options to set the logging severity level and any words that should not be contained within logon banner messages (see Figure 11).


Figure 11. Misc


Conclusion


I hope that this article has provided you with sufficient information about how you can use some of Nipper Studio’s advanced settings to start customizing your own network audits. There are many other options for configuring Nipper Studio, for more information about these you can visit the Titania website at www.titania.com or contact us directly at enquiries@titania.com

No comments:

Post a Comment

Did you find our blog useful? Let us know! We would love to hear your thoughts, opinions and comments regarding any of our blog posts.