ALL,
AGAIN I SAY BLOCK THE INBOUND TRACE AT THE EDGE.
WHY ALL THE DORKING AROUND ABOUT TRACEROUTE???
ALLOW IT OUTBOUND BUT NOT INBOUND SO YOU DONT HAVE TO
WORRY ABOUT IT.
PIRANHA....
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, March 06, 2002 12:22 PM
To: [EMAIL PROTECTED]
Subject: Re: How to hide IP's in Trace
On 7 Mar 2002, at 0:25, Amarnath Gutta wrote:
> Hi All,
>
> I have Private IP's address in my network which I want to conceal
> in traceroutes. Say a customer traces to any IP on internet he is
> able to map my private network also which I want to prevent. So how
> can I hide the private ip's in the traceroutes. I use cisco
> routers.
>
> Any suggestions are welcome.
>
> Regards
>
> Amar
It sounds like you don't want your firewall to allow ICMP replies.
But even if your firewall allows ICMP replies from internal
machines, then any servers for which you have static NAT mappings
will respond -- and the responses, being NATted, will show the IPs
that the servers map to and not the internal IP addresses of the
actual machines.
Any internal clients relying on PAT will never see the ICMP
requests, which will be addressed to the firewall.
If you have a NAT pool, then machines currently mapped into the
pool may respond on their current mapped addresses -- but since those
addresses are subject to change, this mapping is of limited use to an
attacker.
So although you may be happier blocking ICMP replies -- if your
firewall lets you choose that option -- I don't think the risk is as
bad as you fear. If you have a firewall that doesn't let you block
ICMP replies, I would not lose sleep over it.
David Gillett
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
_______________________________________________
Firewalls mailing list
[EMAIL PROTECTED]
http://lists.gnac.net/mailman/listinfo/firewalls
