A Checklist for Developing Defenses | Extreme Exploits: Advanced Defenses Against Hardcore Hacks (Hacking Exposed)

Step	Description
Enforce border router security.	Apply strong access control lists, disable dangerous/unused services, and run a stable network operation system, using unicast RPF when applicable .
Multihome your network.	Utilize different ISPs to multihome when possible. If utilizing a single ISP, request that your circuits home to different aggregation routers in the ISP's network, if possible.
Secure BGP peering sessions.	Utilize MD5 passwords (hashes) and/or the BGP TTL hack to secure BGP sessions from attack and spoofing.
Monitor bandwidth utilization.	Monitor your bandwidth utilization, set thresholds that meet your business requirements, and upgrade before reliability becomes a problem.
Geographically distribute critical servers (and anycast).	Place critical applications/systems in topologically diverse locations, or utilize third-party outsource providers that have geographically diverse systems. Larger wide area networks may employ anycast.
Back up network device configurations.	Develop a backup plan/schedule, and copy configuration files of all routers, switches, and firewalls to a secure location for backup with other critical data. Additionally, encrypt stored configuration files (including passwords).
Develop hardware sparing plan.	Develop a sparing plan, purchase and stock the spares , and/or contract with your vendor to provide rapid parts replacement.

National Security Agency's router and switch security hardening guidelines (http://www.nsa.gov/snac/)
BGP Security Risks and Countermeasures (http://www.nanog.org/mtg-0206/ppt/BGP-Risk-Assesment-v.5.pdf)
RFC 1546, Host Anycasting
RFC 1918, Address Allocation for Private Internets
Path MTU Discovery (http://www.netheaven.com/pmtu.html)
RFC 2196, Site Security Handbook
RFC 2827, Ingress Filtering Guidelines