Securing Border Routers

Owen DeLong owen at delong.com
Thu Jan 20 04:22:50 UTC 2011


Using non-world routable space on interfaces makes for difficulties in some
situations with PMTU-D and with troubleshooting (useless information in
traceroutes for example).

Owen

On Jan 19, 2011, at 6:04 PM, jim deleskie wrote:

> Never put a firewall in front of a router, it will die first.  The team
> CYMRU stuff is great make sure you have ACL's on your VTY and allow access
> only from trusted internal IPs.  I also like using non world routable space
> on any interface I can.
> 
> 
> On Wed, Jan 19, 2011 at 9:38 PM, Brandon Kim <brandon.kim at brandontek.com>wrote:
> 
>> 
>> 
>> 
>> What an insightful link! Thank you, I am reading it now.....
>> 
>> 
>> 
>> 
>>> From: Bryan.Welch at arrisi.com
>>> To: nanog at nanog.org
>>> Date: Wed, 19 Jan 2011 16:38:43 -0800
>>> Subject: RE: Securing Border Routers
>>> 
>>> I ALWAYS start with the CYMRU secure bgp templates, found here:
>>> http://www.team-cymru.org/ReadingRoom/Templates/secure-bgp-template.html
>>> 
>>> I personally would not recommend a firewall in front of your router,
>> sufficient ACL'ing should be enough for securing the router itself.
>>> 
>>> 
>>> Bryan
>>> 
>>> -----Original Message-----
>>> From: Brandon Kim [mailto:brandon.kim at brandontek.com]
>>> Sent: Wednesday, January 19, 2011 4:36 PM
>>> To: nanog group
>>> Subject: Securing Border Routers
>>> 
>>> 
>>> Gents:
>>> 
>>> What measures do you take to protect your border routers? Our routers are
>> running BGP so I'm interested if there is any way to secure them without
>> interfering with BGP? Is it normal to put a firewall in front of the border
>> routers?
>>> 
>>> I'm concerned about DDOS attacks mainly....although we haven't had any, I
>> don't welcome them.....
>>> 
>>> Brandon
>>> 
>>> 
>>> 
>>> 
>>> 
>>> 
>> 
>> 





More information about the NANOG mailing list