Re: Securing Border Routers

[Owen DeLong <owen () delong com>]

Using non-world routable space on interfaces makes for difficulties in some
situations with PMTU-D and with troubleshooting (useless information in
traceroutes for example).

Owen

On Jan 19, 2011, at 6:04 PM, jim deleskie wrote:

> Never put a firewall in front of a router, it will die first.  The team
> CYMRU stuff is great make sure you have ACL's on your VTY and allow access
> only from trusted internal IPs.  I also like using non world routable space
> on any interface I can.
>
>
> On Wed, Jan 19, 2011 at 9:38 PM, Brandon Kim <brandon.kim () brandontek com>wrote:
>
> > What an insightful link! Thank you, I am reading it now.....
> >
> >
> >
> >
> > > From: Bryan.Welch () arrisi com
> > > To: nanog () nanog org
> > > Date: Wed, 19 Jan 2011 16:38:43 -0800
> > > Subject: RE: Securing Border Routers
> > >
> > > I ALWAYS start with the CYMRU secure bgp templates, found here:
> > > http://www.team-cymru.org/ReadingRoom/Templates/secure-bgp-template.html
> > >
> > > I personally would not recommend a firewall in front of your router,
> > sufficient ACL'ing should be enough for securing the router itself.
> > > Bryan
> > >
> > > -----Original Message-----
> > > From: Brandon Kim [mailto:brandon.kim () brandontek com]
> > > Sent: Wednesday, January 19, 2011 4:36 PM
> > > To: nanog group
> > > Subject: Securing Border Routers
> > >
> > >
> > > Gents:
> > >
> > > What measures do you take to protect your border routers? Our routers are
> > running BGP so I'm interested if there is any way to secure them without
> > interfering with BGP? Is it normal to put a firewall in front of the border
> > routers?
> > > I'm concerned about DDOS attacks mainly....although we haven't had any, I
> > don't welcome them.....
> > > Brandon