[nsp] Protecting border routers
Stephen J. Wilcox
steve at telecomplete.co.uk
Sat Nov 29 08:16:12 EST 2003
On Fri, 28 Nov 2003, Matthew Crocker wrote:
> On Nov 28, 2003, at 9:14 PM, Stephen J. Wilcox wrote:
>
> > Theres not a lot you can do to a router (excluding the rare times when a
> > major exploit has been found out).. why dont you just leave it outside and
> > make sure that you disable all the usual stuff (small servers, http etc) and
> > acl your telnet/ssh login. To get back thro a fw to management systems you
> > can poke a hole on the fw..
>
> That is what I'm doing now. I was just wondering if I could put the
> control plane behind the firewall using an MPLS IP-VPN or something.
> My Redback control and my Lucent modem pool have control interfaces on
> different ethernet/contexts.
Not on Cisco routers afaik, any connection to an interface IP connects to the
management (unlike switches where you can put the mgmt inside a specified vlan)
Steve
>
> -Matt
>
>
> > Steve
> >
> > On Fri, 28 Nov 2003, Matthew Crocker wrote:
> >
> >>
> >> What is the current best practice for protecting border routers. We
> >> have a couple routers that are in front of our firewall. I would like
> >> to put them behind the firewall from a management, SNMP, logging point
> >> of view. There is not reason for the Internet to talk with my router.
> >> My upstreams need to talk for BGP sessions. Is it just done with ACLs
> >> or is there a way with MPLS to set the local management stuff on the
> >> router into a VPN?
> >>
> >> -Matt
> >>
> >> --
> >> Matthew S. Crocker
> >> Crocker Communications, Inc.
> >> Vice President
> >> PO BOX 710
> >> Greenfield, MA 01302
> >>
> >> P: 413-746-2760
> >> F: 413-746-3704
> >> W: http://www.crocker.com
> >> E: matthew at crocker.com
> >>
> >>
> >>
> >
> >
> --
> Matthew S. Crocker
> Crocker Communications, Inc.
> Vice President
> PO BOX 710
> Greenfield, MA 01302
>
> P: 413-746-2760
> F: 413-746-3704
> W: http://www.crocker.com
> E: matthew at crocker.com
>
>
>
More information about the cisco-nsp
mailing list