set scancloak

Purpose

Configures the network port scan cloaking feature. This feature allows you to configure this Digi device to ignore (discard) received packets for services that are hidden or not enabled and network ports that are not open.

Malicious software on the Internet may scan IP addresses, protocols and ports to try to gain access to hosts. The network port scan cloaking feature can be used to prevent responses from being sent to the originator for ping and for TCP and UDP ports that do not have an associated service. The default operation is that, when a TCP connection request is received for a port that is not open/bound, the Digi device will send a TCP reset reply to inform the originator that the service is not available. Similarly, the default operation when a UDP datagram is received for a port that is not open/bound, the Digi device will send an ICMP port unreachable packet to inform the originator that the service is not available. For the DNS Proxy feature, specific network interfaces can be configured to ignore (discard) requests that are received from that interface, without otherwise acting on them.

These actions, which are common behaviors in accordance with established protocol standards, effectively inform the originator that it has found a valid IP destination. The originator may continue to probe other ports to gain access to the Digi device. In addition, such reply packets may have a monetary cost for mobile network services (for example, cellular or WiMAX). Enabling the cloaking feature can help manage both the port scanning threat and reduce overall data costs.

Your Digi device can be configured to activate cloaking on a global basis, as well as for individual network interfaces that are available on your device. Activating cloaking on a global basis is configured by setting the group option to global, which is also the default setting. Enabling cloaking for individual protocols and interfaces is done by specifying the interface name followed by interface-specific options. By enabling cloaking for individual protocols and interfaces, you prevent reply packets from being sent to the originator under the conditions described above.

Note If you enable cloaking on a global basis for a particular protocol, that selection overrides the selections for the interface-specific settings. For example, enabling cloaking for ping in the global group, overrides a disabled selection for the eth0 (Ethernet) interface.

Required permissions

For Digi products with two or more users, permissions must be set to set permissions s-scan-cloak=read to display settings, and set permissions s-scan-cloak=rw to display and configure settings. See set permissions for details on setting user permissions for commands.

Syntax

set scancloak [state={off|on]
  [group={global|network interface name} 
  [group specific options] 
  which are:
  [ping={off|on}] 
  [tcp={off|on}] 
  [udp={off|on}]
  [dns_proxy={off|on}]

Note The dns_proxy option is not meaningful for the global group. Configure the DNS Proxy feature to disable it globally.

Options

state={off|on}

Enables or disables the network port scan cloaking feature on this Digi device.

group={global|network interface name}

The group of connection requests to which the command applies, such all connection requests or only Ethernet or mobile connection requests. The valid group names vary according to the network interfaces that are available on your product. For example, for some products, the available interfaces are {global|eth0|mobile0}.

To display all available network interfaces on your Digi device that can be configured via the group option, enter the display scancloak command. Alternatively, the help text displayed for help set scancloak will identify the permissible values for the group option, according to what is supported in the Digi device. Examples later in this command description demonstrate use of both of these commands to display network interfaces.

If group is not specified, the default is global, which means that network port scan cloaking is enabled on a global basis.

[group specific options]

ping={off|on}

Enables/disables cloaking for ping requests. Replies are not sent for received ping requests.

tcp={off|on}

Enables/disables cloaking for TCP connection requests for which no service is available.

udp={off|on}

Enables/disables cloaking for UDP packets for which no service is available.

dns_proxy={off|on]

Enables/disables cloaking for DNS Proxy requests for a specific network interface.

Note There is no global cloaking selection for DNS Proxy. To cloak the DNS Proxy feature altogether, simply disable it.

Examples

Enable scan cloaking for ping requests on all network interfaces

#> set scancloak state=on ping=on

Enable scan cloaking on a particular network interface

1. Display all available network interfaces. Use either display scancloak or help set scancloak.

#> display scancloak

Network Port Scan Cloak Status:

  Cloak state: on

  Values configured in the network stack:

                  Ping        TCP         UDP         DNS Proxy 
  global          off         off         off         N/A       
  eth0            off         off         off         off       
  mobile0         off         on          on          on        

Network Port Scan Cloak Statistics:

  Packets received but discarded due to cloaking:

                 Ping        TCP         UDP         DNS Proxy 
  global         0           175         5           0         
  eth0           0           0           0           0         
  mobile0        0           175         5           0         

#> help set scancloak

syntax: set scancloak [options...]

options:

    state=[off | on]            {scan cloak feature state}
    group=(group_name)
            where (group_name) is one of:
              global, eth0, mobile0
        If group is not specified, the default is "global".
        Note: The valid group name list varies according to the
        network interfaces that are available on your product.

  The following are group-specific options:

    ping=[off | on]               {Ping cloak state}
    tcp=[off | on]                {TCP cloak state}
    udp=[off | on]                {UDP cloak state}
    dns_proxy=[off | on]   {DNS Proxy cloak state}
    Note: The dns_proxy option is not meaningful for the "global" group.
          Configure the DNS Proxy feature to disable it globally.

2. The output from both commands shows that the network interfaces for which network port scan cloaking can be enabled are: eth0, mobile0, and global. To enable scan cloaking for all TCP connection requests over the Ethernet interface (eth0), enter:

#> set scancloak state=on group=eth0 tcp=on

See also

• display scancloak
• revert: The revert scancloak command reverts the settings set by this command.
• show: The show scancloak command shows the network port scan cloaking settings in a Digi device.