Re: Nipper and Cisco configuration results

[Lee <ler762 () gmail com>]

On 4/3/09, Subba Rao <castellan2004-nsm () yahoo com> wrote:
> I did see a few false positives too with Nipper.  What do you think about
> Router Audit Tool (RAT) instead?

RAT is the approved IOS security audit tool at $work, so it doesn't
matter what I think about it :)
But it is fairly nice ... as long as you keep in mind it's limitations.

I looked at Nipper a while back; it had some nice features but not
enough to keep me from uninstalling it.

The problem I have with both RAT and Nipper is they're geared towards
security and I'm more interested in verifying that the routers are
configured correctly.  What kind of tools are people using for that?
For an example of the type of thing I'm interested in, see
filter_audit in the presentation at
http://www.nanog.org/mtg-0210/abley.html

>  I downloaded ncat (aka RAT), but it does
> not have a global configuration file which I can use for all the routers and
> switches I have.

Works for me..   just remember that RAT is pretty old & fails
miserably on things like 6500s that are both routers and switches.  So
figure out what's common to all your routers and configure RAT to
check that set of parameters.  Then create another RAT config for
L2/L3 switches that doesn't check as much (eg. don't check for
proxy-arp being disabled)

Regards,
Lee