[nsp] Protecting border routers
Matthew Crocker
matthew at crocker.com
Fri Nov 28 23:35:49 EST 2003
On Nov 28, 2003, at 9:14 PM, Stephen J. Wilcox wrote:
> Theres not a lot you can do to a router (excluding the rare times when
> a major
> exploit has been found out).. why dont you just leave it outside and
> make sure
> that you disable all the usual stuff (small servers, http etc) and acl
> your
> telnet/ssh login. To get back thro a fw to management systems you can
> poke a
> hole on the fw..
>
That is what I'm doing now. I was just wondering if I could put the
control plane behind the firewall using an MPLS IP-VPN or something.
My Redback control and my Lucent modem pool have control interfaces on
different ethernet/contexts.
-Matt
> Steve
>
> On Fri, 28 Nov 2003, Matthew Crocker wrote:
>
>>
>> What is the current best practice for protecting border routers. We
>> have a couple routers that are in front of our firewall. I would like
>> to put them behind the firewall from a management, SNMP, logging point
>> of view. There is not reason for the Internet to talk with my router.
>> My upstreams need to talk for BGP sessions. Is it just done with ACLs
>> or is there a way with MPLS to set the local management stuff on the
>> router into a VPN?
>>
>> -Matt
>>
>> --
>> Matthew S. Crocker
>> Crocker Communications, Inc.
>> Vice President
>> PO BOX 710
>> Greenfield, MA 01302
>>
>> P: 413-746-2760
>> F: 413-746-3704
>> W: http://www.crocker.com
>> E: matthew at crocker.com
>>
>>
>>
>
>
--
Matthew S. Crocker
Crocker Communications, Inc.
Vice President
PO BOX 710
Greenfield, MA 01302
P: 413-746-2760
F: 413-746-3704
W: http://www.crocker.com
E: matthew at crocker.com
-------------- next part --------------
More information about the cisco-nsp
mailing list