[nsp] Protecting border routers

[Stephen J. Wilcox]

On Fri, 28 Nov 2003, Matthew Crocker wrote:
> On Nov 28, 2003, at 9:14 PM, Stephen J. Wilcox wrote:
> 
> > Theres not a lot you can do to a router (excluding the rare times when a
> > major exploit has been found out).. why dont you just leave it outside and
> > make sure that you disable all the usual stuff (small servers, http etc) and
> > acl your telnet/ssh login. To get back thro a fw to management systems you
> > can poke a hole on the fw..
> 
> That is what I'm doing now.  I was just wondering if I could put the 
> control plane behind the firewall using an MPLS IP-VPN or something.  
> My Redback control and my Lucent modem pool have control interfaces on 
> different ethernet/contexts.

Not on Cisco routers afaik, any connection to an interface IP connects to the 
management (unlike switches where you can put the mgmt inside a specified vlan)

Steve

> 
> -Matt
> 
> 
> > Steve
> >
> > On Fri, 28 Nov 2003, Matthew Crocker wrote:
> >
> >>
> >> What is the current best practice for protecting border routers.   We
> >> have a couple routers that are in front of our firewall.  I would like
> >> to put them behind the firewall from a management, SNMP, logging point
> >> of view.  There is not reason for the Internet to talk with my router.
> >> My upstreams need to talk for BGP sessions.  Is it just done with ACLs
> >> or is there a way with MPLS to set the local management stuff on the
> >> router into a VPN?
> >>
> >> -Matt
> >>
> >> --
> >> Matthew S. Crocker
> >> Crocker Communications, Inc.
> >> Vice President
> >> PO BOX 710
> >> Greenfield, MA 01302
> >>
> >> P: 413-746-2760
> >> F: 413-746-3704
> >> W: http://www.crocker.com
> >> E: matthew at crocker.com
> >>
> >>
> >>
> >
> >
> --
> Matthew S. Crocker
> Crocker Communications, Inc.
> Vice President
> PO BOX 710
> Greenfield, MA 01302
> 
> P: 413-746-2760
> F: 413-746-3704
> W: http://www.crocker.com
> E: matthew at crocker.com
> 
> 
>