We are in the process of implementing tighter security and I have been given guidlines that management would like to follow.
The guidelines are indicatiing that the "premise" router should have all these different security measures applied, including:
"NET0910: Utilize ingress and egress access control lists (ACLs) to restrict traffic for all ports and protocols required for operational commitments."
The guidlines instruct to filter
4.4.1 ICMPv4 Message Types
4.4.3 Distributed Denial of Service (DDoS) Attacks
4.5 IPv4 ADDRESS FILTERING
4.6 UNICAST REVERSE-PATH FORWARDING
4.7 SYN FLOOD ATTACK - PROTECTING SERVERS OR LANS
4.8 SYN FLOOD ATTACK -PROTECTING THE ROUTER
All of these things look like something that would be done on the edge routers, not on the internal core layer three switches and MPLS edge router.
Is a "premise" router any router on the premises, or are the talking about just edge routers to the Internet?
Am I correct in this, or is it best practice to apply this filtering to all routers?
If so, it seems like all of this filtering is going to increase CPU utilization on these devices that see alot more traffic than the Internet edge router.
Also, the guidline directs to use MD5 authentication on OSPF and BGP peers.
Since we have BGP in several diffrerent states via MPLS, it seems like it is going to take a lot of coordination with the provider to implement this.
Do most people implement peer authentication with the MPLS provider?
I was just testing this and it looks like the routes will stay in the route table for a few minutes if the remote side authentication is set and the local side is not, which means I should be able to set all the CE routers with peer authentication, and then have the provider do the PE routers without loss of connectivity, unless BGP process gets cleared.
Does that sound correct?