From: Church, Chuck (cchurch@netcogov.com)
Date: Sun Jun 19 2005 - 13:19:41 GMT-3
It can get rather tricky. ACLs can be used to block all packets with
destinations of interface addresses on the router. But certain things
the router will respond to are tough to block. For instance, I don't
think you can tell the router to not respond with a TTL Expired message
if it's forwarding a packet with TTL approaching 0. Also, packets with
IP options are process switched and sometimes acted upon.
Chuck Church
Lead Design Engineer
CCIE #8776, MCNE, MCSE
Netco Government Services - Design & Implementation Team
1210 N. Parker Rd.
Greenville, SC 29609
Home office: 864-335-9473
Cell: 703-819-3495
cchurch@netcogov.com
PGP key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4371A48D
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
John Matus
Sent: Sunday, June 19, 2005 3:18 AM
To: Alexander Arsenyev (GU/ETL); John Matus; ccielab@groupstudy.com
Subject: Re: making a router invisible
that is a pretty interesting solution.
is there an "ip" solution that would work also? i was interested in
getting
some feedback about my initial idea..:
>>turning off icmp
turning off ip
turning off cdp
no ip unreachables
> int e0/0
> ip access-g 101 in
> no cdp enable
>
> access-list 101 permit tcp host 1.2.3.4 any eq telnet
> access-list 101 deny ip any any
what would a port scanner see in with this type of scenarion?
Regards,
John D. Matus
MCSE, CCNP
Office: 818-782-2061
Cell: 818-430-8372
jmatus@pacbell.net
----- Original Message -----
From: "Alexander Arsenyev (GU/ETL)" <alexander.arsenyev@ericsson.com>
To: "John Matus" <john_matus@hotmail.com>; <ccielab@groupstudy.com>
Sent: Saturday, June 18, 2005 1:10 PM
Subject: RE: making a router invisible
>I have even better idea:
>
> 1) turn OFF ip routing
> 2) enable X.25 with static routing.
> 3) You may need to also enable CMNS and PAD over CMNS if the only
> interface is Ethernet.
> 4) assign X.121 address to the router itself
> 5) use PAD to access the router. PAD is functionally similar to
telnet.
>
> Complete and utter invisibility to IP! :-)
>
> HTH,
> Cheers
> Alex
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
> John Matus
> Sent: 18 June 2005 20:42
> To: ccielab@groupstudy.com
> Subject: making a router invisible
>
>
> could you make a router virtually invisible on a network?
>
> i've had a few idea on how to do this, in the case that there is port
> scanning going on and other foot-printing methods, but i need more
input.
> here is my idea:
>
> the router would be connected to the network via an ethernet interface
> only.
> the only access i want to have to this router is via telnet.
>
> turn of icmp <i think you can do this, but i don't have a router in
front
> of
> me...."no icmp enable", "no service icmp"...??
>
> no ip unreachables
> int e0/0
> ip access-g 101 in
> no cdp enable
>
> access-list 101 permit tcp host 1.2.3.4 any eq telnet
> access-list 101 deny ip any any
>
> my thought is that if icmp is off (if you cant turn it off, at least
the
> access-list will deny it...i think)
> then the router wont reply to ping sweeps or any other icmp feature.
with
> the acl, only telnet trafffic would be permitted in, and anything else
> that
> tried to get though or query the router or a specific port would be
> silently
> discarded because of the "no ip unreachable". <i forget if that is a
> global
> command or an interface command...>
>
> is my thinking correct or am i way off? any suggestion on how to do
this
> effectively?
>
> TIA
>
> _________________________________________________________________
> Express yourself instantly with MSN Messenger! Download today - it's
FREE!
> http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>
>
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:41 GMT-3