01Overview
Network Security Scanner (NSS) is a zero-dependency Python tool that audits Cisco device configurations offline. Instead of reaching into live gear over SSH, SNMP, or an API, it ingests exported running-configs (.cfg/.txt/.conf) and evaluates them against CIS Benchmarks, Cisco and NSA hardening guides, and the published Cisco PSIRT advisory database. The output is an interactive dark-theme HTML dashboard with severity-ranked findings, matched evidence lines, and copy-paste remediation commands.
The scanner auto-detects six Cisco platforms from the config text alone — IOS, IOS-XE (Catalyst), NX-OS (Nexus), ASA, Firepower Threat Defense, and WLC (AireOS / Catalyst 9800) — then runs the appropriate subset of 11 audit modules. Because it never touches the network, it is safe to run against configs pulled from an air-gapped environment, a change-management ticket, or a backup vault, which makes it well-suited to consultants, audit teams, and network engineers who receive config dumps rather than device access.
Beyond misconfiguration hardening, a dedicated CVE-detection engine parses the device software train from embedded 'show version' output and matches it against 40 curated Cisco advisories (2018–2026), covering headline threats like the ArcaneDoor ASA/FTD trio, the BadCandy IOS-XE web UI chain, NX-OS Velvet Ant CLI injection, and WLC AP-image RCE. KEV-listed and actively-exploited CVEs are tagged in the finding title so operators triage the real emergencies first.
It is deliberately conservative and transparent: CVE matching flags any device on an affected major.minor train and links the canonical PSIRT advisory rather than guessing patch-level windows, and platform guards emit explicit INFO 'skipped' notices so an absent finding is never misread as a clean bill of health.
02Key Capabilities
Offline, agentless config auditing
Parses exported running-configs with no SSH, SNMP, or API access to devices, so it is safe for air-gapped, backup, or ticket-sourced configs.
Six-platform auto-detection
Classifies each config as IOS, IOS-XE, NX-OS, ASA, FTD, or WLC from its text and routes only the platform-appropriate checks.
11 audit modules, 108 hardening checks
Covers management plane, control plane, data plane, services, switch, wireless, NGFW core, NGFW platform, logging, and crypto posture.
Curated Cisco CVE detection
Matches the detected software train against 40 published PSIRT advisories (2018–2026) including ArcaneDoor, BadCandy, Velvet Ant, and WLC AP-image RCE.
KEV and active-exploitation prioritisation
Tags CVEs listed in CISA KEV or confirmed exploited-in-the-wild directly in the finding title so operators fix the urgent ones first.
Platform-aware false-positive suppression
SUPPORTED_PLATFORMS guards stop IOS-syntax checks from firing on ASA/NX-OS/FTD and emit an explicit INFO skip notice instead of silence.
Actionable remediation on every finding
Each check ships a Cisco CLI fix or upgrade path plus references to the exact CIS section, advisory URL, or CWE.
Evidence with secret redaction
Findings carry the matched config lines as evidence, with passwords and community strings sanitised before display.
Interactive HTML dashboard
Generates a self-contained dark-theme report grouped by severity, device, and category for easy triage and sharing.
Zero dependencies
Runs on Python 3.8+ standard library only — no pip install, no supply-chain surface, portable to locked-down hosts.
Selective scanning and severity filtering
Run specific modules and gate output by severity (e.g. HIGH and above) via simple CLI flags.
Ships realistic sample configs
Seven intentionally-vulnerable device configs exercise the full check matrix and produce 246 findings as an end-to-end smoke test.
03Architecture
A single-file CLI orchestrator loads device configs, a shared parser auto-detects each device type, and a registry of eleven BaseAuditor subclasses runs its platform-guarded checks; findings are tagged with device context, severity-filtered, and rendered into an HTML dashboard. A distinct CVE engine parses the software train and matches it against a curated advisory database rather than grepping for misconfigurations.
04Project Structure
nss_scanner.pyMain CLI entry point — argument parsing, MODULE_MAP registry, per-device run loop, severity filtering, summary output.modules/base.pyBaseAuditor class, finding schema, ParsedConfig parser, load_configs, and device-type auto-detection.modules/mgmt_plane.pyManagement plane checks — passwords, AAA, SSH, VTY, banners, HTTP, login protection (25 findings).modules/cve_detection.py40-entry Cisco PSIRT CVE database plus per-platform version detection and train matching.modules/ngfw_core.pyFirepower/ASA NGFW checks — access control, IPS, AMP, Security Intelligence, SSL decryption.modules/crypto.pyCryptographic posture — SSH keys, ciphers, TLS versions, IPsec, ISAKMP, DH groups.modules/report_generator.pyDark-theme HTML dashboard generator that renders aggregated findings.sample_configs/Seven intentionally-vulnerable device configs (router, switch, Catalyst, Nexus, ASA, WLC, FTD) plus a sample report.docs/banner.svgProject banner artwork used in the README.CLAUDE.mdArchitecture notes, auditor pattern, finding schema, and CVE-module documentation for contributors.CONTRIBUTING.mdContribution guidelines for adding modules, checks, and CVE entries.README.mdOverview, supported devices, module table, quick start, and CVE coverage documentation.05Security Controls
06Technology Stack
- Language
- Python 3.8+
- Dependencies
- Zero — standard library only (argparse, re, json, pathlib, html, datetime, typing)
- Architecture
- Single-file CLI orchestrator + pluggable BaseAuditor modules
- Output
- Self-contained dark-theme HTML dashboard (JetBrains Mono / DM Sans)
- Input formats
- Cisco running-config exports (.cfg / .txt / .conf)
- Testing / CI
- No automated test suite or CI pipeline; validated via 7 bundled sample configs
- License
- MIT
07Quick Start
$ git clone https://github.com/Krishcalin/Cisco-Network-Security.git && cd Cisco-Network-Security $ python nss_scanner.py --data-dir ./sample_configs --output report.html $ python nss_scanner.py --data-dir /path/to/configs --output audit_report.html $ python nss_scanner.py --data-dir ./configs --modules mgmt ctrl crypto cve $ python nss_scanner.py --data-dir ./configs --severity HIGH $ Append 'show version' output to each exported config so the CVE module can match the software train.
08Compliance & Frameworks
09Integrations & Outputs
Explore Cisco Network Security Scanner
Full source, documentation, and deployment guides live on GitHub.