A few questions about router security, premise routers, BGP

Unanswered Question
May 9th, 2009

We are in the process of implementing tighter security and I have been given guidlines that management would like to follow.

The guidelines are indicatiing that the "premise" router should have all these different security measures applied, including:

"NET0910: Utilize ingress and egress access control lists (ACLs) to restrict traffic for all ports and protocols required for operational commitments."

The guidlines instruct to filter

4.4.1 ICMPv4 Message Types

4.4.2 Traceroute

4.4.3 Distributed Denial of Service (DDoS) Attacks





All of these things look like something that would be done on the edge routers, not on the internal core layer three switches and MPLS edge router.

Is a "premise" router any router on the premises, or are the talking about just edge routers to the Internet?

Am I correct in this, or is it best practice to apply this filtering to all routers?

If so, it seems like all of this filtering is going to increase CPU utilization on these devices that see alot more traffic than the Internet edge router.

Also, the guidline directs to use MD5 authentication on OSPF and BGP peers.

Since we have BGP in several diffrerent states via MPLS, it seems like it is going to take a lot of coordination with the provider to implement this.

Do most people implement peer authentication with the MPLS provider?

I was just testing this and it looks like the routes will stay in the route table for a few minutes if the remote side authentication is set and the local side is not, which means I should be able to set all the CE routers with peer authentication, and then have the provider do the PE routers without loss of connectivity, unless BGP process gets cleared.

Does that sound correct?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Giuseppe Larosa Sun, 05/10/2009 - 03:09

Hello Richard,

for effective security some measures have to be taken everywhere.

As you noted may be not all of the listed guidelines are applicable to an internal router.

About routing protocol security:

it is good practice to protect sessions on OSPF or other IGP protocols from accepting information from "rogue routers".

However, I wouldn't go so far to make a LAN similar to a FR cloud using neighbor commands as I had seen suggested and disabling multicast neighbor discovery.

About BGP sessions:

often eBGP sessions are protected with MD5 being connections between different companies/organisations.

For eBGP sessions in MPLS L3 VPN you can migrate one EBGP session at a time coordinating your efforts with service provider.

If the site is single homed and that is the only way in you need to leave you open a resort path:

either allows temporary telnet/ssh to ip address of connected interface to PE so that you can reach it also if there is a password mismatch

This way even if the session is reset (if I remember correctly it should happen) you should be able to reach your device.

Second safety measure: a scheduled reload to be able to rollback to old clear text config.

Hope to help



This Discussion