[135294] in North American Network Operators' Group
Re: Securing Border Routers
daemon@ATHENA.MIT.EDU (Owen DeLong)
Wed Jan 19 23:25:56 2011
From: Owen DeLong <owen@delong.com>
In-Reply-To: <AANLkTimd7o4wNop6ysJ5Ba0UTz-OOVBkrd-+wTwo5XBy@mail.gmail.com>
Date: Wed, 19 Jan 2011 20:22:50 -0800
To: jim deleskie <deleskie@gmail.com>
Cc: nanog group <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
Using non-world routable space on interfaces makes for difficulties in =
some
situations with PMTU-D and with troubleshooting (useless information in
traceroutes for example).
Owen
On Jan 19, 2011, at 6:04 PM, jim deleskie wrote:
> Never put a firewall in front of a router, it will die first. The =
team
> CYMRU stuff is great make sure you have ACL's on your VTY and allow =
access
> only from trusted internal IPs. I also like using non world routable =
space
> on any interface I can.
>=20
>=20
> On Wed, Jan 19, 2011 at 9:38 PM, Brandon Kim =
<brandon.kim@brandontek.com>wrote:
>=20
>>=20
>>=20
>>=20
>> What an insightful link! Thank you, I am reading it now.....
>>=20
>>=20
>>=20
>>=20
>>> From: Bryan.Welch@arrisi.com
>>> To: nanog@nanog.org
>>> Date: Wed, 19 Jan 2011 16:38:43 -0800
>>> Subject: RE: Securing Border Routers
>>>=20
>>> I ALWAYS start with the CYMRU secure bgp templates, found here:
>>> =
http://www.team-cymru.org/ReadingRoom/Templates/secure-bgp-template.html
>>>=20
>>> I personally would not recommend a firewall in front of your router,
>> sufficient ACL'ing should be enough for securing the router itself.
>>>=20
>>>=20
>>> Bryan
>>>=20
>>> -----Original Message-----
>>> From: Brandon Kim [mailto:brandon.kim@brandontek.com]
>>> Sent: Wednesday, January 19, 2011 4:36 PM
>>> To: nanog group
>>> Subject: Securing Border Routers
>>>=20
>>>=20
>>> Gents:
>>>=20
>>> What measures do you take to protect your border routers? Our =
routers are
>> running BGP so I'm interested if there is any way to secure them =
without
>> interfering with BGP? Is it normal to put a firewall in front of the =
border
>> routers?
>>>=20
>>> I'm concerned about DDOS attacks mainly....although we haven't had =
any, I
>> don't welcome them.....
>>>=20
>>> Brandon
>>>=20
>>>=20
>>>=20
>>>=20
>>>=20
>>>=20
>>=20
>>=20
