Securing Border Routers


What measures do you take to protect your border routers? Our routers are running BGP so I'm interested
if there is any way to secure them without interfering with BGP? Is it normal to put a firewall in front of the
border routers?

I'm concerned about DDOS attacks mainly....although we haven't had any, I don't welcome them.....


I ALWAYS start with the CYMRU secure bgp templates, found here:

I personally would not recommend a firewall in front of your router, sufficient ACL'ing should be enough for securing the router itself.


A stateful firewall outside of your router may create a new bottleneck which
increases your risk of DoS. Making sure that you know (and document, and
test) how to effectively contact your service providers should you be
attacked would be a good idea. Find out if your service providers have BGP
communities for remote triggered black hole (document and test). A denial of
service will break the weakest link in the chain toward your services, so
make sure you have appropriate bandwidth, a reasonable server architecture,
and if you have money to burn consider a DDoS mitigation service.


What an insightful link! Thank you, I am reading it now.....

Never put a firewall in front of a router, it will die first. The team
CYMRU stuff is great make sure you have ACL's on your VTY and allow access
only from trusted internal IPs. I also like using non world routable space
on any interface I can.

Using non-world routable space on interfaces makes for difficulties in some
situations with PMTU-D and with troubleshooting (useless information in
traceroutes for example).


Hi -