RE: making a router invisible

From: Scott Morris (swm@emanon.com)
Date: Sun Jun 19 2005 - 11:38:23 GMT-3

• Next message: Scott Morris: "RE: RIP - v1 or V2 ?"
• Previous message: richard.bennett@brookemead-services.co.uk: "RIP - v1 or V2 ?"
• Maybe in reply to: John Matus: "making a router invisible"
• Next in thread: Church, Chuck: "RE: making a router invisible"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

If you want a router to REALLY be in your network... And yet not show up as
people try to probe it, that's not really making it "invisible". Your
routing protocols will know about it.

I think what you are asking is how to make the router secure. And there are
a NUMBER of things that you need to think about.

Stuff like the "no ip unreachable" and "no icmp redirect" is a small piece
that deals with ICMP stuff... There are many more pieces to security like
ACL's and access-classes on your VTY and HTTP ports for the router (and
SNMP). Things like securing your routing protocols.

You'll need to look at everything you do on that router and ask yourself how
do I make it more secure. There are no set answers for this.

Check out the CYMRU document collection. They have docs on how to secure
IOS among a good number of other things. This will point you in the right
direction!
http://www.cymru.com/Documents/

HTH,

Scott

PS. In the routing world a true "invisible" router really isn't much of a
router! :)

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
cacca mucca
Sent: Sunday, June 19, 2005 7:58 AM
To: jmatus@pacbell.net; alexander.arsenyev@ericsson.com;
john_matus@hotmail.com; ccielab@groupstudy.com
Subject: Re: making a router invisible

If IP is turned off in a IP network, what use is the invisible router?
I think I know what you want to do, but you have not given us enough
information to give you a definate answer. We can't assume anything,
especially this group.

Question is, what is your requirement?

>From: "John Matus" <jmatus@pacbell.net>
>Reply-To: "John Matus" <jmatus@pacbell.net>
>To: "Alexander Arsenyev (GU/ETL)" <alexander.arsenyev@ericsson.com>,
>"John Matus" <john_matus@hotmail.com>, <ccielab@groupstudy.com>
>Subject: Re: making a router invisible
>Date: Sun, 19 Jun 2005 00:17:49 -0700
>
>that is a pretty interesting solution.
>is there an "ip" solution that would work also? i was interested in
>getting some feedback about my initial idea..:
>
>>>turning off icmp
>turning off ip
>turning off cdp
>
>no ip unreachables
>>int e0/0
>>ip access-g 101 in
>>no cdp enable
>>
>>access-list 101 permit tcp host 1.2.3.4 any eq telnet access-list 101
>>deny ip any any
>
>what would a port scanner see in with this type of scenarion?
>
>
>
>Regards,
>
>John D. Matus
>MCSE, CCNP
>Office: 818-782-2061
>Cell: 818-430-8372
>jmatus@pacbell.net
>----- Original Message ----- From: "Alexander Arsenyev (GU/ETL)"
><alexander.arsenyev@ericsson.com>
>To: "John Matus" <john_matus@hotmail.com>; <ccielab@groupstudy.com>
>Sent: Saturday, June 18, 2005 1:10 PM
>Subject: RE: making a router invisible
>
>
>>I have even better idea:
>>
>>1) turn OFF ip routing
>>2) enable X.25 with static routing.
>>3) You may need to also enable CMNS and PAD over CMNS if the only
>>interface is Ethernet.
>>4) assign X.121 address to the router itself
>>5) use PAD to access the router. PAD is functionally similar to telnet.
>>
>>Complete and utter invisibility to IP! :-)
>>
>>HTH,
>>Cheers
>>Alex
>>
>>-----Original Message-----
>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>>John Matus
>>Sent: 18 June 2005 20:42
>>To: ccielab@groupstudy.com
>>Subject: making a router invisible
>>
>>
>>could you make a router virtually invisible on a network?
>>
>>i've had a few idea on how to do this, in the case that there is port
>>scanning going on and other foot-printing methods, but i need more input.
>>here is my idea:
>>
>>the router would be connected to the network via an ethernet interface
>>only.
>> the only access i want to have to this router is via telnet.
>>
>>turn of icmp <i think you can do this, but i don't have a router in
>>front of me...."no icmp enable", "no service icmp"...??
>>
>>no ip unreachables
>>int e0/0
>>ip access-g 101 in
>>no cdp enable
>>
>>access-list 101 permit tcp host 1.2.3.4 any eq telnet access-list 101
>>deny ip any any
>>
>>my thought is that if icmp is off (if you cant turn it off, at least
>>the access-list will deny it...i think) then the router wont reply to
>>ping sweeps or any other icmp feature. with the acl, only telnet
>>trafffic would be permitted in, and anything else that tried to get
>>though or query the router or a specific port would be silently
>>discarded because of the "no ip unreachable". <i forget if that is a
>>global command or an interface command...>
>>
>>is my thinking correct or am i way off? any suggestion on how to do this
>>effectively?
>>
>>TIA
>>
>>_________________________________________________________________
>>Express yourself instantly with MSN Messenger! Download today - it's FREE!
>>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>
>>______________________________________________________________________
>>_ Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>>
>>______________________________________________________________________
>>_ Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Scott Morris: "RE: RIP - v1 or V2 ?"
• Previous message: richard.bennett@brookemead-services.co.uk: "RIP - v1 or V2 ?"
• Maybe in reply to: John Matus: "making a router invisible"
• Next in thread: Church, Chuck: "RE: making a router invisible"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:41 GMT-3