Re: making a router invisible

From: John Matus (jmatus@pacbell.net)
Date: Sun Jun 19 2005 - 15:53:57 GMT-3

• Next message: Christopher M. Heffner: "RE: Networkers (was: making a router invisible)"
• Previous message: John Matus: "Re: making a router invisible"
• Maybe in reply to: John Matus: "making a router invisible"
• Next in thread: Church, Chuck: "RE: making a router invisible"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

i guess i should have been more specific and said the router is not going to
be used as a router, but as a terminal server to hop into another other
routers via async ports, it is a 2511. the other routers are only
connected to themselves and not the production network. the 2511 is the
only router connected to the production network and i need to be able to
telnet to it.....
the requirement for this "scenario" is that it cannot show up in port scans.

Regards,

John D. Matus
MCSE, CCNP
Office: 818-782-2061
Cell: 818-430-8372
jmatus@pacbell.net
----- Original Message -----
From: "Scott Morris" <swm@emanon.com>
To: "'cacca mucca'" <caccamucca@hotmail.com>; <jmatus@pacbell.net>;
<alexander.arsenyev@ericsson.com>; <john_matus@hotmail.com>;
<ccielab@groupstudy.com>
Sent: Sunday, June 19, 2005 7:38 AM
Subject: RE: making a router invisible

> If you want a router to REALLY be in your network... And yet not show up
> as
> people try to probe it, that's not really making it "invisible". Your
> routing protocols will know about it.
>
> I think what you are asking is how to make the router secure. And there
> are
> a NUMBER of things that you need to think about.
>
> Stuff like the "no ip unreachable" and "no icmp redirect" is a small piece
> that deals with ICMP stuff... There are many more pieces to security like
> ACL's and access-classes on your VTY and HTTP ports for the router (and
> SNMP). Things like securing your routing protocols.
>
> You'll need to look at everything you do on that router and ask yourself
> how
> do I make it more secure. There are no set answers for this.
>
> Check out the CYMRU document collection. They have docs on how to secure
> IOS among a good number of other things. This will point you in the right
> direction!
> http://www.cymru.com/Documents/
>
> HTH,
>
> Scott
>
> PS. In the routing world a true "invisible" router really isn't much of a
> router! :)
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
> cacca mucca
> Sent: Sunday, June 19, 2005 7:58 AM
> To: jmatus@pacbell.net; alexander.arsenyev@ericsson.com;
> john_matus@hotmail.com; ccielab@groupstudy.com
> Subject: Re: making a router invisible
>
> If IP is turned off in a IP network, what use is the invisible router?
> I think I know what you want to do, but you have not given us enough
> information to give you a definate answer. We can't assume anything,
> especially this group.
>
> Question is, what is your requirement?
>
>>From: "John Matus" <jmatus@pacbell.net>
>>Reply-To: "John Matus" <jmatus@pacbell.net>
>>To: "Alexander Arsenyev (GU/ETL)" <alexander.arsenyev@ericsson.com>,
>>"John Matus" <john_matus@hotmail.com>, <ccielab@groupstudy.com>
>>Subject: Re: making a router invisible
>>Date: Sun, 19 Jun 2005 00:17:49 -0700
>>
>>that is a pretty interesting solution.
>>is there an "ip" solution that would work also? i was interested in
>>getting some feedback about my initial idea..:
>>
>>>>turning off icmp
>>turning off ip
>>turning off cdp
>>
>>no ip unreachables
>>>int e0/0
>>>ip access-g 101 in
>>>no cdp enable
>>>
>>>access-list 101 permit tcp host 1.2.3.4 any eq telnet access-list 101
>>>deny ip any any
>>
>>what would a port scanner see in with this type of scenarion?
>>
>>
>>
>>Regards,
>>
>>John D. Matus
>>MCSE, CCNP
>>Office: 818-782-2061
>>Cell: 818-430-8372
>>jmatus@pacbell.net
>>----- Original Message ----- From: "Alexander Arsenyev (GU/ETL)"
>><alexander.arsenyev@ericsson.com>
>>To: "John Matus" <john_matus@hotmail.com>; <ccielab@groupstudy.com>
>>Sent: Saturday, June 18, 2005 1:10 PM
>>Subject: RE: making a router invisible
>>
>>
>>>I have even better idea:
>>>
>>>1) turn OFF ip routing
>>>2) enable X.25 with static routing.
>>>3) You may need to also enable CMNS and PAD over CMNS if the only
>>>interface is Ethernet.
>>>4) assign X.121 address to the router itself
>>>5) use PAD to access the router. PAD is functionally similar to telnet.
>>>
>>>Complete and utter invisibility to IP! :-)
>>>
>>>HTH,
>>>Cheers
>>>Alex
>>>
>>>-----Original Message-----
>>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>>>John Matus
>>>Sent: 18 June 2005 20:42
>>>To: ccielab@groupstudy.com
>>>Subject: making a router invisible
>>>
>>>
>>>could you make a router virtually invisible on a network?
>>>
>>>i've had a few idea on how to do this, in the case that there is port
>>>scanning going on and other foot-printing methods, but i need more input.
>>>here is my idea:
>>>
>>>the router would be connected to the network via an ethernet interface
>>>only.
>>> the only access i want to have to this router is via telnet.
>>>
>>>turn of icmp <i think you can do this, but i don't have a router in
>>>front of me...."no icmp enable", "no service icmp"...??
>>>
>>>no ip unreachables
>>>int e0/0
>>>ip access-g 101 in
>>>no cdp enable
>>>
>>>access-list 101 permit tcp host 1.2.3.4 any eq telnet access-list 101
>>>deny ip any any
>>>
>>>my thought is that if icmp is off (if you cant turn it off, at least
>>>the access-list will deny it...i think) then the router wont reply to
>>>ping sweeps or any other icmp feature. with the acl, only telnet
>>>trafffic would be permitted in, and anything else that tried to get
>>>though or query the router or a specific port would be silently
>>>discarded because of the "no ip unreachable". <i forget if that is a
>>>global command or an interface command...>
>>>
>>>is my thinking correct or am i way off? any suggestion on how to do
>>>this
>>>effectively?
>>>
>>>TIA
>>>
>>>_________________________________________________________________
>>>Express yourself instantly with MSN Messenger! Download today - it's
>>>FREE!
>>>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>>
>>>______________________________________________________________________
>>>_ Subscription information may be found at:
>>>http://www.groupstudy.com/list/CCIELab.html
>>>
>>>______________________________________________________________________
>>>_ Subscription information may be found at:
>>>http://www.groupstudy.com/list/CCIELab.html
>>
>>_______________________________________________________________________
>>Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>
> _________________________________________________________________
> Is your PC infected? Get a FREE online computer virus scan from McAfee.
> Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Christopher M. Heffner: "RE: Networkers (was: making a router invisible)"
• Previous message: John Matus: "Re: making a router invisible"
• Maybe in reply to: John Matus: "making a router invisible"
• Next in thread: Church, Chuck: "RE: making a router invisible"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:41 GMT-3