InfoSecter Support for NetScreen

Supported Versions

InfoSecter has been tested against versions 5.1 through 5.4 of ScreenOS.

The InfoSecter analysis support concentrates on firewall and VPN features. In particular InfoSecter reports may include the following classes of actions.

• permit or deny, basic firewall filtering.
• ipsec tunnel name, direct traffic into the specified IPSec tunnel.

InfoSecter attempts to parse all commands that can show up in a Netscreen configuration file (output of get config). The features most directly related with firewall filtering and IPSec tunneling have been most deeply tested. If a command fails to parse, the information from the remainder of the configuration that has been parsed will be used in the analysis.

Gather device configurations

InfoSecter operates on configuration files. There are several means to export a configuration from a Netscreen device. One can use secure copy to pull a configuration from the Netscreen device to a client machine. Another technique pushes a configuration file from a Netscreen Device to a client machine. One can also use the Netscreen Security Manager to create CLI versions of the current policy and feed that information to InfoSecter for analysis.

Pulling a configuration

Secure copy (copy over SSH) can be used to pull the configuration saved in non volatile RAM from the Netscreen device to the client machine.

To enable ssh and scp to your netscreen box, you need the following commands

• set ssh enable
• set scp enable

On the client device, use a secure copy client (e.g. scp from OpenSSH or pscp from PuTTY) to move files between your client host and the firewall devices' flash memory.

The name of the devices' startup config on its flash drive is ns_sys_config, so to copy that startup config from the firewall device to backup.cfg on your client, issue the following command (assuming the default administrative user netscreen on the firewall device).

scp netscreen@192.168.50.50:ns_sys_config ns_sys_config_backup

With Netscreen you can either use a password for the client, or you can register a certificate with the device for the client authentication. The Concepts & Examples Reference Guide: Volume 3, Administration document from Netscreen provides the details for setting up ssh, scp, and the authentication options.

Pushing a configuration

From the Netscreen device you can use the "exec save" command to copy the start up configuration to an accessible machine via tftp.

For example, if there is a machine with the address 192.168.200.2 running a tftp server, you can issue the command exec save config from flash to tftp 192.168.200.2 /tftpboot/backup.cfg to copy the starup config to the tftp server.