RE: making a router invisible

From: Scott Morris (swm@emanon.com)
Date: Sun Jun 19 2005 - 21:39:20 GMT-3

• Next message: Scott Morris: "RE: making a router invisible"
• Previous message: Richard Dumoulin: "RE: IPSEC over DDR"
• Maybe in reply to: John Matus: "making a router invisible"
• Next in thread: Scott Morris: "RE: making a router invisible"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Then check out some of those documents and look at securing the router.

-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of John
Matus
Sent: Sunday, June 19, 2005 2:48 PM
To: cacca mucca; alexander.arsenyev@ericsson.com; john_matus@hotmail.com;
ccielab@groupstudy.com
Subject: Re: making a router invisible

the requirement is that i want to be able to telnet to the router, but i
want the router to be invisible on the network, i.e.- not show up in port
scans, ping sweeps, foot-printing...that sort of thing.

Regards,

John D. Matus
MCSE, CCNP
Office: 818-782-2061
Cell: 818-430-8372
jmatus@pacbell.net
----- Original Message -----
From: "cacca mucca" <caccamucca@hotmail.com>
To: <jmatus@pacbell.net>; <alexander.arsenyev@ericsson.com>;
<john_matus@hotmail.com>; <ccielab@groupstudy.com>
Sent: Sunday, June 19, 2005 4:58 AM
Subject: Re: making a router invisible

If IP is turned off in a IP network, what use is the invisible router?
I think I know what you want to do, but you have not given us enough
information to give you a definate answer. We can't assume anything,
especially this group.

Question is, what is your requirement?

>From: "John Matus" <jmatus@pacbell.net>
>Reply-To: "John Matus" <jmatus@pacbell.net>
>To: "Alexander Arsenyev (GU/ETL)" <alexander.arsenyev@ericsson.com>,
>"John Matus" <john_matus@hotmail.com>, <ccielab@groupstudy.com>
>Subject: Re: making a router invisible
>Date: Sun, 19 Jun 2005 00:17:49 -0700
>
>that is a pretty interesting solution.
>is there an "ip" solution that would work also? i was interested in
>getting some feedback about my initial idea..:
>
>>>turning off icmp
>turning off ip
>turning off cdp
>
>no ip unreachables
>>int e0/0
>>ip access-g 101 in
>>no cdp enable
>>
>>access-list 101 permit tcp host 1.2.3.4 any eq telnet access-list 101
>>deny ip any any
>
>what would a port scanner see in with this type of scenarion?
>
>
>
>Regards,
>
>John D. Matus
>MCSE, CCNP
>Office: 818-782-2061
>Cell: 818-430-8372
>jmatus@pacbell.net
>----- Original Message ----- From: "Alexander Arsenyev (GU/ETL)"
><alexander.arsenyev@ericsson.com>
>To: "John Matus" <john_matus@hotmail.com>; <ccielab@groupstudy.com>
>Sent: Saturday, June 18, 2005 1:10 PM
>Subject: RE: making a router invisible
>
>
>>I have even better idea:
>>
>>1) turn OFF ip routing
>>2) enable X.25 with static routing.
>>3) You may need to also enable CMNS and PAD over CMNS if the only
>>interface is Ethernet.
>>4) assign X.121 address to the router itself
>>5) use PAD to access the router. PAD is functionally similar to telnet.
>>
>>Complete and utter invisibility to IP! :-)
>>
>>HTH,
>>Cheers
>>Alex
>>
>>-----Original Message-----
>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
>>John Matus
>>Sent: 18 June 2005 20:42
>>To: ccielab@groupstudy.com
>>Subject: making a router invisible
>>
>>
>>could you make a router virtually invisible on a network?
>>
>>i've had a few idea on how to do this, in the case that there is port
>>scanning going on and other foot-printing methods, but i need more input.
>>here is my idea:
>>
>>the router would be connected to the network via an ethernet interface
>>only.
>> the only access i want to have to this router is via telnet.
>>
>>turn of icmp <i think you can do this, but i don't have a router in
>>front of me...."no icmp enable", "no service icmp"...??
>>
>>no ip unreachables
>>int e0/0
>>ip access-g 101 in
>>no cdp enable
>>
>>access-list 101 permit tcp host 1.2.3.4 any eq telnet access-list 101
>>deny ip any any
>>
>>my thought is that if icmp is off (if you cant turn it off, at least
>>the access-list will deny it...i think) then the router wont reply to
>>ping sweeps or any other icmp feature. with the acl, only telnet
>>trafffic would be permitted in, and anything else that tried to get
>>though or query the router or a specific port would be silently
>>discarded because of the "no ip unreachable". <i forget if that is a
>>global command or an interface command...>
>>
>>is my thinking correct or am i way off? any suggestion on how to do this
>>effectively?
>>
>>TIA
>>
>>_________________________________________________________________
>>Express yourself instantly with MSN Messenger! Download today - it's FREE!
>>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>
>>______________________________________________________________________
>>_ Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>>
>>______________________________________________________________________
>>_ Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>
>_______________________________________________________________________
>Subscription information may be found at:
>http://www.groupstudy.com/list/CCIELab.html

• Next message: Scott Morris: "RE: making a router invisible"
• Previous message: Richard Dumoulin: "RE: IPSEC over DDR"
• Maybe in reply to: John Matus: "making a router invisible"
• Next in thread: Scott Morris: "RE: making a router invisible"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:41 GMT-3