From: MMoniz (ccie2002@tampabay.rr.com)
Date: Thu Jun 24 2004 - 10:22:55 GMT-3
Geert,as you say, there is no 100% way to prevent asymetrical routing. A lot
can not only depend on the ISP
but what are end customers are doing with their routing as well.
We run this same scenario and were battling this when trying to use the FW
feature set on the routers.
While it worked for the most part we constantly had problems with FTP
transfers, some HTTPS sites
and other issues.
As per Cisco TAC recommendation we disabled all router security features,
applied a typical internet
ACL and then let our PIX handle all the security, along with IDS.
While this does allow more traffic into the PIX, we have not had any issues.
You didn't say if you have FW's
behind your RTR's but I would assume you do.
The last thing we did was have our ISP's do BGP authentication to us. We
also accept full routes which
also helps with asymetrical routing issues.
HTH
Mike
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com]On Behalf Of
Geert Nijs
Sent: Thursday, June 24, 2004 6:56 AM
To: ccielab@groupstudy.com
Subject: BGP redundancy and security
Hi group,
Suppose we have a redundant internet connection to two ISP providers in the
following setup:
--- ISP A ---- ROUTER A (runs BGP) ---- INTERNAL NETWORK ----- ROUTER B
(runs BGP) ---- ISP B
The problem i am having is: how to make sure that i don't have assymetric
routing (like i exit via router A,
but come back via router B...). i don't think there really is a 100%
accurate solution.. (could use: AS path
prepending, specific routes, MED, communities....but these can all be
overruled by the ISPs...)
This assymetric routing complicates my security:
- For anti-spoofing, I want to use the nifty new feature:
ip verify unicast reverse-path
--> This does not work in assymetric environments................
Ok, here i can use an ACL to accomplish the same. (inbound ACL, deny my own
internal networks)
- I want to protect myself from SYN attacks. Using
- reflexive access-lists
--> Will not work in an assymetric environment............
- ip tcp intercept
--> Will not work in an assymetric environment..............
- i am stuck with the - not so secure - ACL:
permit tcp any any established
What other options do i have here ??
Has anyone experience with this scenario ?
Regards,
Geert
############################################################################
#########
This e-mail and any attached files are confidential and may be legally
privileged.
If you are not the addressee, any disclosure, reproduction, copying,
distribution,
or other dissemination or use of this communication is strictly prohibited.
If you have received this transmission in error please notify Simac
immediately
and then delete this e-mail.
Simac has taken all reasonable precautions to avoid virusses in this email.
Simac does not accept liability for damage by virusses, for the correct and
complete
transmission of the information, nor for any delay or interruption of the
transmission,
nor for damages arising from the use of or reliance on the information.
All e-mail messages addressed to, received or sent by Simac or Simac
employees
are deemed to be professional in nature. Accordingly, the sender or
recipient of
these messages agrees that they may be read by other Simac employees than
the official
recipient or sender in order to ensure the continuity of work-related
activities
and allow supervision thereof.
############################################################################
#########
This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:49 GMT-3