| ||
Step | Description |
---|---|
Enforce border router security. | Apply strong access control lists, disable dangerous/unused services, and run a stable network operation system, using unicast RPF when applicable . |
Multihome your network. | Utilize different ISPs to multihome when possible. If utilizing a single ISP, request that your circuits home to different aggregation routers in the ISP's network, if possible. |
Secure BGP peering sessions. | Utilize MD5 passwords (hashes) and/or the BGP TTL hack to secure BGP sessions from attack and spoofing. |
Monitor bandwidth utilization. | Monitor your bandwidth utilization, set thresholds that meet your business requirements, and upgrade before reliability becomes a problem. |
Geographically distribute critical servers (and anycast). | Place critical applications/systems in topologically diverse locations, or utilize third-party outsource providers that have geographically diverse systems. Larger wide area networks may employ anycast. |
Back up network device configurations. | Develop a backup plan/schedule, and copy configuration files of all routers, switches, and firewalls to a secure location for backup with other critical data. Additionally, encrypt stored configuration files (including passwords). |
Develop hardware sparing plan. | Develop a sparing plan, purchase and stock the spares , and/or contract with your vendor to provide rapid parts replacement. |
National Security Agency's router and switch security hardening guidelines (http://www.nsa.gov/snac/)
BGP Security Risks and Countermeasures (http://www.nanog.org/mtg-0206/ppt/BGP-Risk-Assesment-v.5.pdf)
RFC 1546, Host Anycasting
RFC 1918, Address Allocation for Private Internets
Path MTU Discovery (http://www.netheaven.com/pmtu.html)
RFC 2196, Site Security Handbook
RFC 2827, Ingress Filtering Guidelines
| ||