Never put a firewall in front of a router, it will die first. The team CYMRU stuff is great make sure you have ACL's on your VTY and allow access only from trusted internal IPs. I also like using non world routable space on any interface I can. On Wed, Jan 19, 2011 at 9:38 PM, Brandon Kim <brandon.kim@brandontek.com>wrote:
What an insightful link! Thank you, I am reading it now.....
From: Bryan.Welch@arrisi.com To: nanog@nanog.org Date: Wed, 19 Jan 2011 16:38:43 -0800 Subject: RE: Securing Border Routers
I ALWAYS start with the CYMRU secure bgp templates, found here: http://www.team-cymru.org/ReadingRoom/Templates/secure-bgp-template.html
I personally would not recommend a firewall in front of your router, sufficient ACL'ing should be enough for securing the router itself.
Bryan
-----Original Message----- From: Brandon Kim [mailto:brandon.kim@brandontek.com] Sent: Wednesday, January 19, 2011 4:36 PM To: nanog group Subject: Securing Border Routers
Gents:
What measures do you take to protect your border routers? Our routers are running BGP so I'm interested if there is any way to secure them without interfering with BGP? Is it normal to put a firewall in front of the border routers?
I'm concerned about DDOS attacks mainly....although we haven't had any, I don't welcome them.....
Brandon