From: Alexander Arsenyev (GU/ETL) (alexander.arsenyev@ericsson.com)
Date: Sat Jun 18 2005 - 17:10:56 GMT-3
I have even better idea:
1) turn OFF ip routing
2) enable X.25 with static routing.
3) You may need to also enable CMNS and PAD over CMNS if the only interface is Ethernet.
4) assign X.121 address to the router itself
5) use PAD to access the router. PAD is functionally similar to telnet.
Complete and utter invisibility to IP! :-)
HTH,
Cheers
Alex
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
John Matus
Sent: 18 June 2005 20:42
To: ccielab@groupstudy.com
Subject: making a router invisible
could you make a router virtually invisible on a network?
i've had a few idea on how to do this, in the case that there is port
scanning going on and other foot-printing methods, but i need more input.
here is my idea:
the router would be connected to the network via an ethernet interface only.
the only access i want to have to this router is via telnet.
turn of icmp <i think you can do this, but i don't have a router in front of
me...."no icmp enable", "no service icmp"...??
no ip unreachables
int e0/0
ip access-g 101 in
no cdp enable
access-list 101 permit tcp host 1.2.3.4 any eq telnet
access-list 101 deny ip any any
my thought is that if icmp is off (if you cant turn it off, at least the
access-list will deny it...i think)
then the router wont reply to ping sweeps or any other icmp feature. with
the acl, only telnet trafffic would be permitted in, and anything else that
tried to get though or query the router or a specific port would be silently
discarded because of the "no ip unreachable". <i forget if that is a global
command or an interface command...>
is my thinking correct or am i way off? any suggestion on how to do this
effectively?
TIA
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:41 GMT-3