Cisco Network Security Scanner

Infrastructurev1.0.0

Offline config analysis for Cisco IOS/IOS-XE/NX-OS/FTD with 128+ checks across 10 modules, CIS and NSA benchmark alignment

128+
checks
10
modules
5
platforms

01Overview

Network Security Scanner (NSS) is a zero-dependency Python tool that audits Cisco device configurations offline. Instead of reaching into live gear over SSH, SNMP, or an API, it ingests exported running-configs (.cfg/.txt/.conf) and evaluates them against CIS Benchmarks, Cisco and NSA hardening guides, and the published Cisco PSIRT advisory database. The output is an interactive dark-theme HTML dashboard with severity-ranked findings, matched evidence lines, and copy-paste remediation commands.

The scanner auto-detects six Cisco platforms from the config text alone — IOS, IOS-XE (Catalyst), NX-OS (Nexus), ASA, Firepower Threat Defense, and WLC (AireOS / Catalyst 9800) — then runs the appropriate subset of 11 audit modules. Because it never touches the network, it is safe to run against configs pulled from an air-gapped environment, a change-management ticket, or a backup vault, which makes it well-suited to consultants, audit teams, and network engineers who receive config dumps rather than device access.

Beyond misconfiguration hardening, a dedicated CVE-detection engine parses the device software train from embedded 'show version' output and matches it against 40 curated Cisco advisories (2018–2026), covering headline threats like the ArcaneDoor ASA/FTD trio, the BadCandy IOS-XE web UI chain, NX-OS Velvet Ant CLI injection, and WLC AP-image RCE. KEV-listed and actively-exploited CVEs are tagged in the finding title so operators triage the real emergencies first.

It is deliberately conservative and transparent: CVE matching flags any device on an affected major.minor train and links the canonical PSIRT advisory rather than guessing patch-level windows, and platform guards emit explicit INFO 'skipped' notices so an absent finding is never misread as a clean bill of health.

02Key Capabilities

Offline, agentless config auditing

Parses exported running-configs with no SSH, SNMP, or API access to devices, so it is safe for air-gapped, backup, or ticket-sourced configs.

Six-platform auto-detection

Classifies each config as IOS, IOS-XE, NX-OS, ASA, FTD, or WLC from its text and routes only the platform-appropriate checks.

11 audit modules, 108 hardening checks

Covers management plane, control plane, data plane, services, switch, wireless, NGFW core, NGFW platform, logging, and crypto posture.

Curated Cisco CVE detection

Matches the detected software train against 40 published PSIRT advisories (2018–2026) including ArcaneDoor, BadCandy, Velvet Ant, and WLC AP-image RCE.

KEV and active-exploitation prioritisation

Tags CVEs listed in CISA KEV or confirmed exploited-in-the-wild directly in the finding title so operators fix the urgent ones first.

Platform-aware false-positive suppression

SUPPORTED_PLATFORMS guards stop IOS-syntax checks from firing on ASA/NX-OS/FTD and emit an explicit INFO skip notice instead of silence.

Actionable remediation on every finding

Each check ships a Cisco CLI fix or upgrade path plus references to the exact CIS section, advisory URL, or CWE.

Evidence with secret redaction

Findings carry the matched config lines as evidence, with passwords and community strings sanitised before display.

Interactive HTML dashboard

Generates a self-contained dark-theme report grouped by severity, device, and category for easy triage and sharing.

Zero dependencies

Runs on Python 3.8+ standard library only — no pip install, no supply-chain surface, portable to locked-down hosts.

Selective scanning and severity filtering

Run specific modules and gate output by severity (e.g. HIGH and above) via simple CLI flags.

Ships realistic sample configs

Seven intentionally-vulnerable device configs exercise the full check matrix and produce 246 findings as an end-to-end smoke test.

03Architecture

A single-file CLI orchestrator loads device configs, a shared parser auto-detects each device type, and a registry of eleven BaseAuditor subclasses runs its platform-guarded checks; findings are tagged with device context, severity-filtered, and rendered into an HTML dashboard. A distinct CVE engine parses the software train and matches it against a curated advisory database rather than grepping for misconfigurations.

1
CLI orchestrator (nss_scanner.py)
Defines MODULE_MAP, loads configs, iterates every device-by-module pair, applies severity filtering, and drives report generation.
2
Config loader & parser (base.py: load_configs, ParsedConfig)
Reads .cfg/.txt/.conf files and auto-detects device_type (ios/iosxe/nxos/asa/ftd/wlc) with ASA token disambiguation, exposing helpers like has_line, get_interfaces, and get_vty_lines.
3
BaseAuditor framework
Provides the finding() schema, SUPPORTED_PLATFORMS guards, and INFO skip-notice emission that every check module inherits.
4
Hardening audit modules (10)
mgmt/ctrl/data/services/switch/wireless/ngfw core/ngfw platform/logging/crypto auditors, each emitting stable-id findings with remediation and standards references.
5
CVE detection engine (cve_detection.py)
detect_version() extracts the running train per platform, matches it against the 40-entry CISCO_CVES database, flags KEV/exploited items, and emits meta-findings for coverage gaps.
6
HTML report generator (report_generator.py)
Aggregates all findings into a self-contained dark-theme dashboard colour-coded by severity.

04Project Structure

nss_scanner.pyMain CLI entry point — argument parsing, MODULE_MAP registry, per-device run loop, severity filtering, summary output.
modules/base.pyBaseAuditor class, finding schema, ParsedConfig parser, load_configs, and device-type auto-detection.
modules/mgmt_plane.pyManagement plane checks — passwords, AAA, SSH, VTY, banners, HTTP, login protection (25 findings).
modules/cve_detection.py40-entry Cisco PSIRT CVE database plus per-platform version detection and train matching.
modules/ngfw_core.pyFirepower/ASA NGFW checks — access control, IPS, AMP, Security Intelligence, SSL decryption.
modules/crypto.pyCryptographic posture — SSH keys, ciphers, TLS versions, IPsec, ISAKMP, DH groups.
modules/report_generator.pyDark-theme HTML dashboard generator that renders aggregated findings.
sample_configs/Seven intentionally-vulnerable device configs (router, switch, Catalyst, Nexus, ASA, WLC, FTD) plus a sample report.
docs/banner.svgProject banner artwork used in the README.
CLAUDE.mdArchitecture notes, auditor pattern, finding schema, and CVE-module documentation for contributors.
CONTRIBUTING.mdContribution guidelines for adding modules, checks, and CVE entries.
README.mdOverview, supported devices, module table, quick start, and CVE coverage documentation.

05Security Controls

Management Plane (25 checks)
Flags type-7/plaintext passwords, missing enable secret, weak/absent AAA (aaa new-model), telnet on VTY, missing SSH v2, absent login banners, exposed HTTP server, and lack of login-attempt protection.
CVE Detection (40 advisories)
Matches the device software train against curated Cisco PSIRT CVEs 2018–2026 — ArcaneDoor (CVE-2025-20333/20362/20363), BadCandy (CVE-2023-20198/20273), SNMP RCE (CVE-2025-20352), Velvet Ant (CVE-2024-20399), WLC AP-image RCE — with 16 KEV-listed and 16 actively-exploited entries tagged in the title.
Cryptographic Posture (10 checks)
Audits SSH key strength, weak ciphers, deprecated TLS/SSL versions, IPsec transform sets, ISAKMP policy, and low Diffie-Hellman groups.
Control Plane (11 checks)
Verifies CoPP, routing-protocol authentication (OSPF/BGP/EIGRP), NTP authentication, spanning-tree protections, and CDP exposure.
Switch Security (8 checks)
Checks port-security, VLAN hygiene, trunk configuration, DTP auto-negotiation, BPDU guard, and IP source guard on access switches.
Data Plane (9 checks)
Evaluates unicast RPF, DHCP snooping, Dynamic ARP Inspection, storm control, ICMP handling, and proxy-ARP exposure.
NGFW Core & Platform (16 checks)
For FTD/ASA: access-control policy, IPS, AMP, Security Intelligence, SSL decryption, plus FTD management access, local accounts, FXOS version, and DNS inspection.
Wireless Security (10 checks)
Assesses SSID encryption, WPA2/WPA3 enforcement, rogue-AP detection, Management Frame Protection, and WLC management hardening.
Logging & Monitoring (10 checks)
Confirms syslog destinations, buffered logging, SNMP traps, NetFlow export, timestamps, and config archive/rollback.
Services & Protocols (9 checks)
Disables unused small/legacy services, hardens SNMP communities and views, and enforces TCP keepalives and log timestamps.

06Technology Stack

Language
Python 3.8+
Dependencies
Zero — standard library only (argparse, re, json, pathlib, html, datetime, typing)
Architecture
Single-file CLI orchestrator + pluggable BaseAuditor modules
Output
Self-contained dark-theme HTML dashboard (JetBrains Mono / DM Sans)
Input formats
Cisco running-config exports (.cfg / .txt / .conf)
Testing / CI
No automated test suite or CI pipeline; validated via 7 bundled sample configs
License
MIT

07Quick Start

$ git clone https://github.com/Krishcalin/Cisco-Network-Security.git && cd Cisco-Network-Security
$ python nss_scanner.py --data-dir ./sample_configs --output report.html
$ python nss_scanner.py --data-dir /path/to/configs --output audit_report.html
$ python nss_scanner.py --data-dir ./configs --modules mgmt ctrl crypto cve
$ python nss_scanner.py --data-dir ./configs --severity HIGH
$ Append 'show version' output to each exported config so the CVE module can match the software train.

08Compliance & Frameworks

CIS Cisco IOS 15 Benchmark
Management, control, and data-plane checks mapped to CIS IOS 15 hardening controls.
CIS Cisco IOS 17.x Benchmark
Alignment for IOS-XE / Catalyst platform checks.
CIS Cisco Firepower FTD Benchmark
NGFW core and platform checks mapped to the Firepower Threat Defense benchmark.
NSA Cisco Firepower Hardening Guide
FTD hardening guidance informing NGFW module checks.
Cisco IOS-XE / NX-OS Hardening Guides
Vendor hardening best practices for Catalyst and Nexus platforms.
CISA KEV & Cisco PSIRT
CVE module tags Known-Exploited-Vulnerabilities and links canonical PSIRT advisories; findings also reference CWE ids.

09Integrations & Outputs

Input: Cisco running-config exports (.cfg / .txt / .conf) from show running-configOutput: self-contained interactive HTML dashboard reportOptional JSON baseline override via --config flagCVE findings deep-link to canonical Cisco PSIRT advisory URLs and Cisco Software Checker

Explore Cisco Network Security Scanner

Full source, documentation, and deployment guides live on GitHub.