Securing Core and Routing Check List

The following provides a brief checklist of the recommendations detailed within this overall chapter:

  • Use static routing between PE and CE if possible.

  • If dynamic routing is required between PE and CE, secure the peering using MD5:

    - Use eBGP as the dynamic routing protocol if possible.

    - Configure "maximum prefix" limits per VRF and per neighbor.

    - Establish "dampening" parameters.

    - If MD5 is not possible, use distance to mark all but the peering router as unreliable.

    - Only use EIGRP/OSPF/RIP as PE-CE routing protocol if static/eBGP routing are not available and only if PE-CE links are point-to-point.

    - Minimize and secure access to PE and CE routers.

    - Limit access to devices within the span of control of the operating entity; that is, customers do not access SP routers, and SP does not access customer routers.

    - Define ACLs and apply "access-group" to VTYs.

    - Use AAA and centralized servers to control access.

    - Protect access to console and auxiliary ports.

    - Use CoPP and AutoSecure.

    - Use SSH for access to router VTYs.

    - If SSH not availablem then use ACLs to control telnet access.

    - Limit SNMP access to specific servers through ACLs.

    - Provide only read-only SNMP access.

    - Use receive ACLs where possible.

    - Use iACLs to secure the core.

    - Log, log, log

    - Implement uRPF on all edge routers

    - Use "strict" mode wherever possible.

    - Use "loose" mode if strict cannot be applied.

    - Apply QoS/policing to PE/CE interfaces to control offered loads.

    - Implement DMZs using IDS and firewalls to protect networks from intrusions as discussed in the previous chapter.

    - Run CE-to-CE IPsec where data sensitivity or environment demands.

    - Use MD5 for LDP in the core.

    - Use MPLS over L2TPv3 when considering an MPLS over IP deployment scenario for best practice security.

See Appendix A for a detailed configuration example of a provider edge router.

Figure 5-2 depicts the requisite best practice functions for each of the network components, such as P, PE, and CE.

Figure 5-2. Securing the MPLS Core

[View full size image]