From: Larry Roberts (groupstudy@american-hero.com)
Date: Mon Jun 20 2005 - 11:36:15 GMT-3
Just out of curiosity, but should the question be:
" I want to put a router on my Internet connection, but I don't want
people on the Internet to see it. I need to be able to telnet to it
however so I can do testing/labs"
Scott Morris wrote:
> So I feel we've come a long way just to notice we're going in circles.
>
> You want to secure your router. You want to make sure it doesn't respond to
> other things... You want to make sure that unreachables don't go out.
>
> Turn off ICMP unreachables. Put an input ACL on the incoming interface to
> ONLY allow the things you want to allow FROM the places you want to allow
> them.
>
> If you are allowed static routes on this device (it's an oddball thing
> you're asking here, so who knows), put in a static route for the network you
> WANT to have access this terminal server back towards its gateway. Only
> that net/host set. Route 0/0 to null0. Then you'll know that nothing else
> gets in or goes anyplace anyway.
>
> Think about what you're trying to do. Obviously, you know the topology
> better than the rest of us. Think about what you want to allow, then figure
> out a way to only allow that. Think about what you do NOT want to allow and
> make sure that it isn't going to be possible....
>
> Scott
>
> -----Original Message-----
> From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of John
> Matus
> Sent: Monday, June 20, 2005 1:38 AM
> To: Scott Morris; 'cacca mucca'; alexander.arsenyev@ericsson.com;
> john_matus@hotmail.com; ccielab@groupstudy.com
> Subject: Re: making a router invisible
>
> in this partucular lab scenario <hehe> the other routers should be
> considered backbone routers insofar as they are not allowed to be tampered
> with. the only router that can be modified is the 2511.
>
>
> Regards,
>
> John D. Matus
> MCSE, CCNP
> Office: 818-782-2061
> Cell: 818-430-8372
> jmatus@pacbell.net
> ----- Original Message -----
> From: "Scott Morris" <swm@emanon.com>
> To: "'John Matus'" <jmatus@pacbell.net>; "'cacca mucca'"
> <caccamucca@hotmail.com>; <alexander.arsenyev@ericsson.com>;
> <john_matus@hotmail.com>; <ccielab@groupstudy.com>
> Sent: Sunday, June 19, 2005 5:47 PM
> Subject: RE: making a router invisible
>
>
>
>>So if it's hanging on a particular network segment someplace, wouldn't
>>it make the most sense to place an ACL on some other appropriate router?
>>Keep
>>it simple!
>>
>>-----Original Message-----
>>From: John Matus [mailto:jmatus@pacbell.net]
>>Sent: Sunday, June 19, 2005 2:54 PM
>>To: swm@emanon.com; 'cacca mucca'; alexander.arsenyev@ericsson.com;
>>john_matus@hotmail.com; ccielab@groupstudy.com
>>Subject: Re: making a router invisible
>>
>>i guess i should have been more specific and said the router is not
>>going to be used as a router, but as a terminal server to hop into
>>another other
>>routers via async ports, it is a 2511. the other routers are only
>>connected to themselves and not the production network. the 2511 is
>>the only router connected to the production network and i need to be
>>able to telnet to it.....
>>the requirement for this "scenario" is that it cannot show up in port
>>scans.
>>
>>
>>Regards,
>>
>>John D. Matus
>>MCSE, CCNP
>>Office: 818-782-2061
>>Cell: 818-430-8372
>>jmatus@pacbell.net
>>----- Original Message -----
>>From: "Scott Morris" <swm@emanon.com>
>>To: "'cacca mucca'" <caccamucca@hotmail.com>; <jmatus@pacbell.net>;
>><alexander.arsenyev@ericsson.com>; <john_matus@hotmail.com>;
>><ccielab@groupstudy.com>
>>Sent: Sunday, June 19, 2005 7:38 AM
>>Subject: RE: making a router invisible
>>
>>
>>
>>>If you want a router to REALLY be in your network... And yet not
>>>show up as people try to probe it, that's not really making it
>
> "invisible".
>
>>>Your routing protocols will know about it.
>>>
>>>I think what you are asking is how to make the router secure. And
>>>there are a NUMBER of things that you need to think about.
>>>
>>>Stuff like the "no ip unreachable" and "no icmp redirect" is a small
>>>piece that deals with ICMP stuff... There are many more pieces to
>>>security like ACL's and access-classes on your VTY and HTTP ports for
>>>the router (and SNMP). Things like securing your routing protocols.
>>>
>>>You'll need to look at everything you do on that router and ask
>>>yourself how do I make it more secure. There are no set answers for
>>>this.
>>>
>>>Check out the CYMRU document collection. They have docs on how to
>>>secure IOS among a good number of other things. This will point you
>>>in the right direction!
>>>http://www.cymru.com/Documents/
>>>
>>>HTH,
>>>
>>>Scott
>>>
>>>PS. In the routing world a true "invisible" router really isn't much
>>>of a router! :)
>>>
>>>-----Original Message-----
>>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf
>>>Of cacca mucca
>>>Sent: Sunday, June 19, 2005 7:58 AM
>>>To: jmatus@pacbell.net; alexander.arsenyev@ericsson.com;
>>>john_matus@hotmail.com; ccielab@groupstudy.com
>>>Subject: Re: making a router invisible
>>>
>>>If IP is turned off in a IP network, what use is the invisible router?
>>>I think I know what you want to do, but you have not given us enough
>>>information to give you a definate answer. We can't assume anything,
>>>especially this group.
>>>
>>>Question is, what is your requirement?
>>>
>>>
>>>>From: "John Matus" <jmatus@pacbell.net>
>>>>Reply-To: "John Matus" <jmatus@pacbell.net>
>>>>To: "Alexander Arsenyev (GU/ETL)" <alexander.arsenyev@ericsson.com>,
>>>>"John Matus" <john_matus@hotmail.com>, <ccielab@groupstudy.com>
>>>>Subject: Re: making a router invisible
>>>>Date: Sun, 19 Jun 2005 00:17:49 -0700
>>>>
>>>>that is a pretty interesting solution.
>>>>is there an "ip" solution that would work also? i was interested in
>>>>getting some feedback about my initial idea..:
>>>>
>>>>
>>>>>>turning off icmp
>>>>
>>>>turning off ip
>>>>turning off cdp
>>>>
>>>>no ip unreachables
>>>>
>>>>>int e0/0
>>>>>ip access-g 101 in
>>>>>no cdp enable
>>>>>
>>>>>access-list 101 permit tcp host 1.2.3.4 any eq telnet access-list
>>>>>101 deny ip any any
>>>>
>>>>what would a port scanner see in with this type of scenarion?
>>>>
>>>>
>>>>
>>>>Regards,
>>>>
>>>>John D. Matus
>>>>MCSE, CCNP
>>>>Office: 818-782-2061
>>>>Cell: 818-430-8372
>>>>jmatus@pacbell.net
>>>>----- Original Message ----- From: "Alexander Arsenyev (GU/ETL)"
>>>><alexander.arsenyev@ericsson.com>
>>>>To: "John Matus" <john_matus@hotmail.com>; <ccielab@groupstudy.com>
>>>>Sent: Saturday, June 18, 2005 1:10 PM
>>>>Subject: RE: making a router invisible
>>>>
>>>>
>>>>
>>>>>I have even better idea:
>>>>>
>>>>>1) turn OFF ip routing
>>>>>2) enable X.25 with static routing.
>>>>>3) You may need to also enable CMNS and PAD over CMNS if the only
>>>>>interface is Ethernet.
>>>>>4) assign X.121 address to the router itself
>>>>>5) use PAD to access the router. PAD is functionally similar to telnet.
>>>>>
>>>>>Complete and utter invisibility to IP! :-)
>>>>>
>>>>>HTH,
>>>>>Cheers
>>>>>Alex
>>>>>
>>>>>-----Original Message-----
>>>>>From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf
>>>>>Of John Matus
>>>>>Sent: 18 June 2005 20:42
>>>>>To: ccielab@groupstudy.com
>>>>>Subject: making a router invisible
>>>>>
>>>>>
>>>>>could you make a router virtually invisible on a network?
>>>>>
>>>>>i've had a few idea on how to do this, in the case that there is
>>>>>port scanning going on and other foot-printing methods, but i need
>>>>>more input.
>>>>>here is my idea:
>>>>>
>>>>>the router would be connected to the network via an ethernet
>>>>>interface only.
>>>>> the only access i want to have to this router is via telnet.
>>>>>
>>>>>turn of icmp <i think you can do this, but i don't have a router in
>>>>>front of me...."no icmp enable", "no service icmp"...??
>>>>>
>>>>>no ip unreachables
>>>>>int e0/0
>>>>>ip access-g 101 in
>>>>>no cdp enable
>>>>>
>>>>>access-list 101 permit tcp host 1.2.3.4 any eq telnet access-list
>>>>>101 deny ip any any
>>>>>
>>>>>my thought is that if icmp is off (if you cant turn it off, at
>>>>>least the access-list will deny it...i think) then the router wont
>>>>>reply to ping sweeps or any other icmp feature. with the acl, only
>>>>>telnet trafffic would be permitted in, and anything else that tried
>>>>>to get though or query the router or a specific port would be
>>>>>silently discarded because of the "no ip unreachable". <i forget if
>>>>>that is a global command or an interface command...>
>>>>>
>>>>>is my thinking correct or am i way off? any suggestion on how to do
>>>>>this
>>>>>effectively?
>>>>>
>>>>>TIA
>>>>>
>>>>>_________________________________________________________________
>>>>>Express yourself instantly with MSN Messenger! Download today - it's
>>>>>FREE!
>>>>>http://messenger.msn.click-url.com/go/onm00200471ave/direct/01/
>>>>>
>>>>>____________________________________________________________________
>>>>>_ _ _ Subscription information may be found at:
>>>>>http://www.groupstudy.com/list/CCIELab.html
>>>>>
>>>>>____________________________________________________________________
>>>>>_ _ _ Subscription information may be found at:
>>>>>http://www.groupstudy.com/list/CCIELab.html
>>>>
>>>>_____________________________________________________________________
>>>>_ _ Subscription information may be found at:
>>>>http://www.groupstudy.com/list/CCIELab.html
>>>
>>>_________________________________________________________________
>>>Is your PC infected? Get a FREE online computer virus scan from McAfee.
>>>Security. http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
>>>
>>>_____________________________________________________________________
>>>_ _ Subscription information may be found at:
>>>http://www.groupstudy.com/list/CCIELab.html
>>
>>______________________________________________________________________
>>_ Subscription information may be found at:
>>http://www.groupstudy.com/list/CCIELab.html
>
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Wed Jul 06 2005 - 14:43:42 GMT-3