Securing Border Routers
Gents: What measures do you take to protect your border routers? Our routers are running BGP so I'm interested if there is any way to secure them without interfering with BGP? Is it normal to put a firewall in front of the border routers? I'm concerned about DDOS attacks mainly....although we haven't had any, I don't welcome them..... Brandon
I ALWAYS start with the CYMRU secure bgp templates, found here: http://www.team-cymru.org/ReadingRoom/Templates/secure-bgp-template.html I personally would not recommend a firewall in front of your router, sufficient ACL'ing should be enough for securing the router itself. Bryan -----Original Message----- From: Brandon Kim [mailto:brandon.kim@brandontek.com] Sent: Wednesday, January 19, 2011 4:36 PM To: nanog group Subject: Securing Border Routers Gents: What measures do you take to protect your border routers? Our routers are running BGP so I'm interested if there is any way to secure them without interfering with BGP? Is it normal to put a firewall in front of the border routers? I'm concerned about DDOS attacks mainly....although we haven't had any, I don't welcome them..... Brandon
What an insightful link! Thank you, I am reading it now.....
From: Bryan.Welch@arrisi.com To: nanog@nanog.org Date: Wed, 19 Jan 2011 16:38:43 -0800 Subject: RE: Securing Border Routers
I ALWAYS start with the CYMRU secure bgp templates, found here: http://www.team-cymru.org/ReadingRoom/Templates/secure-bgp-template.html
I personally would not recommend a firewall in front of your router, sufficient ACL'ing should be enough for securing the router itself.
Bryan
-----Original Message----- From: Brandon Kim [mailto:brandon.kim@brandontek.com] Sent: Wednesday, January 19, 2011 4:36 PM To: nanog group Subject: Securing Border Routers
Gents:
What measures do you take to protect your border routers? Our routers are running BGP so I'm interested if there is any way to secure them without interfering with BGP? Is it normal to put a firewall in front of the border routers?
I'm concerned about DDOS attacks mainly....although we haven't had any, I don't welcome them.....
Brandon
Never put a firewall in front of a router, it will die first. The team CYMRU stuff is great make sure you have ACL's on your VTY and allow access only from trusted internal IPs. I also like using non world routable space on any interface I can. On Wed, Jan 19, 2011 at 9:38 PM, Brandon Kim <brandon.kim@brandontek.com>wrote:
What an insightful link! Thank you, I am reading it now.....
From: Bryan.Welch@arrisi.com To: nanog@nanog.org Date: Wed, 19 Jan 2011 16:38:43 -0800 Subject: RE: Securing Border Routers
I ALWAYS start with the CYMRU secure bgp templates, found here: http://www.team-cymru.org/ReadingRoom/Templates/secure-bgp-template.html
I personally would not recommend a firewall in front of your router, sufficient ACL'ing should be enough for securing the router itself.
Bryan
-----Original Message----- From: Brandon Kim [mailto:brandon.kim@brandontek.com] Sent: Wednesday, January 19, 2011 4:36 PM To: nanog group Subject: Securing Border Routers
Gents:
What measures do you take to protect your border routers? Our routers are running BGP so I'm interested if there is any way to secure them without interfering with BGP? Is it normal to put a firewall in front of the border routers?
I'm concerned about DDOS attacks mainly....although we haven't had any, I don't welcome them.....
Brandon
Using non-world routable space on interfaces makes for difficulties in some situations with PMTU-D and with troubleshooting (useless information in traceroutes for example). Owen On Jan 19, 2011, at 6:04 PM, jim deleskie wrote:
Never put a firewall in front of a router, it will die first. The team CYMRU stuff is great make sure you have ACL's on your VTY and allow access only from trusted internal IPs. I also like using non world routable space on any interface I can.
On Wed, Jan 19, 2011 at 9:38 PM, Brandon Kim <brandon.kim@brandontek.com>wrote:
What an insightful link! Thank you, I am reading it now.....
From: Bryan.Welch@arrisi.com To: nanog@nanog.org Date: Wed, 19 Jan 2011 16:38:43 -0800 Subject: RE: Securing Border Routers
I ALWAYS start with the CYMRU secure bgp templates, found here: http://www.team-cymru.org/ReadingRoom/Templates/secure-bgp-template.html
I personally would not recommend a firewall in front of your router, sufficient ACL'ing should be enough for securing the router itself.
Bryan
-----Original Message----- From: Brandon Kim [mailto:brandon.kim@brandontek.com] Sent: Wednesday, January 19, 2011 4:36 PM To: nanog group Subject: Securing Border Routers
Gents:
What measures do you take to protect your border routers? Our routers are running BGP so I'm interested if there is any way to secure them without interfering with BGP? Is it normal to put a firewall in front of the border routers?
I'm concerned about DDOS attacks mainly....although we haven't had any, I don't welcome them.....
Brandon
A stateful firewall outside of your router may create a new bottleneck which increases your risk of DoS. Making sure that you know (and document, and test) how to effectively contact your service providers should you be attacked would be a good idea. Find out if your service providers have BGP communities for remote triggered black hole (document and test). A denial of service will break the weakest link in the chain toward your services, so make sure you have appropriate bandwidth, a reasonable server architecture, and if you have money to burn consider a DDoS mitigation service. -Ryan On Wed, Jan 19, 2011 at 7:35 PM, Brandon Kim <brandon.kim@brandontek.com>wrote:
Gents:
What measures do you take to protect your border routers? Our routers are running BGP so I'm interested if there is any way to secure them without interfering with BGP? Is it normal to put a firewall in front of the border routers?
I'm concerned about DDOS attacks mainly....although we haven't had any, I don't welcome them.....
Brandon
Hi - On 01/19/2011 04:35 PM, Brandon Kim wrote:
Gents:
What measures do you take to protect your border routers? Our routers are running BGP so I'm interested if there is any way to secure them without interfering with BGP? Is it normal to put a firewall in front of the border routers?
I'm concerned about DDOS attacks mainly....although we haven't had any, I don't welcome them.....
Brandon
------------------------- BCP 38 is worth implementing :-) regards, /virendra
On Jan 19, 2011, at 6:35 PM, Brandon Kim wrote:
I'm concerned about DDOS attacks mainly....although we haven't had any, I don't welcome them.....
<https://files.me.com/roland.dobbins/prguob> <https://files.me.com/roland.dobbins/k4zw3x> <https://files.me.com/roland.dobbins/dweagy> ------------------------------------------------------------------------ Roland Dobbins <rdobbins@arbor.net> // <http://www.arbornetworks.com> Most software today is very much like an Egyptian pyramid, with millions of bricks piled on top of each other, with no structural integrity, but just done by brute force and thousands of slaves. -- Alan Kay
participants (7)
-
Brandon Kim -
jim deleskie -
Owen DeLong -
Roland Dobbins -
Ryan Shea -
virendra rode -
Welch, Bryan