From: John Matus (jmatus@pacbell.net)
Date: Mon Jun 20 2005 - 02:37:45 GMT-3
in this partucular lab scenario <hehe> the other routers should be
considered backbone routers insofar as they are not allowed to be tampered
with. the only router that can be modified is the 2511.
Regards,
John D. Matus
MCSE, CCNP
Office: 818-782-2061
Cell: 818-430-8372
jmatus@pacbell.net
----- Original Message -----
From: "Scott Morris" <swm@emanon.com>
To: "'John Matus'" <jmatus@pacbell.net>; "'cacca mucca'"
<caccamucca@hotmail.com>; <alexander.arsenyev@ericsson.com>;
<john_matus@hotmail.com>; <ccielab@groupstudy.com>
Sent: Sunday, June 19, 2005 5:47 PM
Subject: RE: making a router invisible
> So if it's hanging on a particular network segment someplace, wouldn't it
> make the most sense to place an ACL on some other appropriate router?
> Keep
> it simple!
>
> -----Original Message-----
> From: John Matus [mailto:jmatus@pacbell.net]
> Sent: Sunday, June 19, 2005 2:54 PM
> To: swm@emanon.com; 'cacca mucca'; alexander.arsenyev@ericsson.com;
> john_matus@hotmail.com; ccielab@groupstudy.com
> Subject: Re: making a router invisible
>
> i guess i should have been more specific and said the router is not going
> to
> be used as a router, but as a terminal server to hop into another other
> routers via async ports, it is a 2511. the other routers are only
> connected to themselves and not the production network. the 2511 is the
> only router connected to the production network and i need to be able to
> telnet to it.....
> the requirement for this "scenario" is that it cannot show up in port
> scans.
>
>
> Regards,
>
> John D. Matus
> MCSE, CCNP
> Office: 818-782-2061
> Cell: 818-430-8372
> jmatus@pacbell.net
> ----- Original Message -----
> From: "Scott Morris" <swm@emanon.com>
> To: "'cacca mucca'" <caccamucca@hotmail.com>; <jmatus@pacbell.net>;
> <alexander.arsenyev@ericsson.com>; <john_matus@hotmail.com>;
> <ccielab@groupstudy.com>
> Sent: Sunday, June 19, 2005 7:38 AM
> Subject: RE: making a router invisible
>
>
>> If you want a router to REALLY be in your network... And yet not show
>> up as people try to probe it, that's not really making it "invisible".
>> Your routing protocols will know about it.
>>
>> I think what you are asking is how to make the router secure. And
>> there are a NUMBER of things that you need to think about.
>>
>> Stuff like the "no ip unreachable" and "no icmp redirect" is a small
>> piece that deals with ICMP stuff... There are many more pieces to
>> security like ACL's and access-classes on your VTY and HTTP ports for
>> the router (and SNMP). Things like securing your routing protocols.
>>
>> You'll need to look at everything you do on that router and ask
>> yourself how do I make it more secure. There are no set answers for
>> this.
>>
>> Check out the CYMRU document collection. They have docs on how to
>> secure IOS among a good number of other things. This will point you
>> in the right direction!
>> http://www.cymru.com/Documents/
>>
>> HTH,
>>
>> Scott
>>
>> PS. In the routing world a true "invisible" router really isn't much
>> of a router! :)
>>
>> -----Original Message-----
>> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>> Of cacca mucca
>> Sent: Sunday, June 19, 2005 7:58 AM
>> To: jmatus@pacbell.net; alexander.arsenyev@ericsson.com;
>> john_matus@hotmail.com; ccielab@groupstudy.com
>> Subject: Re: making a router invisible
>>
>> If IP is turned off in a IP network, what use is the invisible router?
>> I think I know what you want to do, but you have not given us enough
>> information to give you a definate answer. We can't assume anything,
>> especially this group.
>>
>> Question is, what is your requirement?
>>
>>>From: "John Matus" <jmatus@pacbell.net>
>>>Reply-To: "John Matus" <jmatus@pacbell.net>
>>>To: "Alexander Arsenyev (GU/ETL)" <alexander.arsenyev@ericsson.com>,
>>>"John Matus" <john_matus@hotmail.com>, <ccielab@groupstudy.com>
>>>Subject: Re: making a router invisible
>>>Date: Sun, 19 Jun 2005 00:17:49 -0700
>>>
>>>that is a pretty interesting solution.
>>>is there an "ip" solution that would work also? i was interested in
>>>getting some feedback about my initial idea..:
>>>
>>>>>turning off icmp
>>>turning off ip
>>>turning off cdp
>>>
>>>no ip unreachables
>>>>int e0/0
>>>>ip access-g 101 in
>>>>no cdp enable
>>>>
>>>>access-list 101 permit tcp host 1.2.3.4 any eq telnet access-list 101
>>>>deny ip any any
>>>
>>>what would a port scanner see in with this type of scenarion?
>>>
>>>
>>>
>>>Regards,
>>>
>>>John D. Matus
>>>MCSE, CCNP
>>>Office: 818-782-2061
>>>Cell: 818-430-8372
>>>jmatus@pacbell.net
>>>----- Original Message ----- From: "Alexander Arsenyev (GU/ETL)"
>>><alexander.arsenyev@ericsson.com>
>>>To: "John Matus" <john_matus@hotmail.com>; <ccielab@groupstudy.com>
>>>Sent: Saturday, June 18, 2005 1:10 PM
>>>Subject: RE: making a router invisible
>>>
>>>
>>>>I have even better idea:
>>>>
>>>>1) turn OFF ip routing
>>>>2) enable X.25 with static routing.
>>>>3) You may need to also enable CMNS and PAD over CMNS if the only
>>>>interface is Ethernet.
>>>>4) assign X.121 address to the router itself
>>>>5) use PAD to access the router. PAD is functionally similar to telnet.
>>>>
>>>>Complete and utter invisibility to IP! :-)
>>>>
>>>>HTH,
>>>>Cheers
>>>>Alex
>>>>
>>>>-----Original Message-----
>>>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
>>>>Of John Matus
>>>>Sent: 18 June 2005 20:42
>>>>To: ccielab@groupstudy.com
>>>>Subject: making a router invisible
>>>>
>>>>
>>>>could you make a router virtually invisible on a network?
>>>>
>>>>i've had a few idea on how to do this, in the case that there is port
>>>>scanning going on and other foot-printing methods, but i need more
>>>>input.
>>>>here is my idea:
>>>>
>>>>the router would be connected to the network via an ethernet
>>>>interface only.
>>>> the only access i want to have to this router is via telnet.
>>>>
>>>>turn of icmp <i think you can do this, but i don't have a router in
>>>>front of me...."no icmp enable", "no service icmp"...??
>>>>
>>>>no ip unreachables
>>>>int e0/0
>>>>ip access-g 101 in
>>>>no cdp enable
>>>>
>>>>access-list 101 permit tcp host 1.2.3.4 any eq telnet access-list 101
>>>>deny ip any any
>>>>
>>>>my thought is that if icmp is off (if you cant turn it off, at least
>>>>the access-list will deny it...i think) then the router wont reply to
>>>>ping sweeps or any other icmp feature. with the acl, only telnet
>>>>trafffic would be permitted in, and anything else that tried to get
>>>>though or query the router or a specific port would be silently
>>>>discarded because of the "no ip unreachable". <i forget if that is a
>>>>global command or an interface command...>
>>>>
>>>>is my thinking correct or am i way off? any suggestion on how to do
>>>>this
>>>>effectively?
>>>>
>>>>TIA
>>>>
>>>>_________________________________________________________________
>>>>Express yourself instantly with MSN Messenger! Download today - it's
>>>>FREE!
>>>>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>>>
>>>>_____________________________________________________________________
>>>>_ _ Subscription information may be found at:
>>>>http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>_____________________________________________________________________
>>>>_ _ Subscription information may be found at:
>>>>http://www.groupstudy.com/list/CCIELab.html
>>>
>>>______________________________________________________________________
>>>_ Subscription information may be found at:
>>>http://www.groupstudy.com/list/CCIELab.html
>>
>> _________________________________________________________________
>> Is your PC infected? Get a FREE online computer virus scan from McAfee.
>> Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>>
>> ______________________________________________________________________
>> _ Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:42 GMT-3