From: Godswill Oletu (oletu@inbox.lv)
Date: Thu Jun 24 2004 - 10:26:43 GMT-3
Try putting a distribute list and an access list on each BGP Routers
(Routers A & B), let the the access list on Router A deny the inclusion into
its routing table all the networks Router B is advertising to the internet
via ISP A, then Router B will do the same to all Router A's advertised
network.
-Godswill
----- Original Message -----
From: "Geert Nijs" <geert.nijs@simac.be>
To: <ccielab@groupstudy.com>
Sent: Thursday, June 24, 2004 6:56 AM
Subject: BGP redundancy and security
> Hi group,
>
> Suppose we have a redundant internet connection to two ISP providers in
the following setup:
>
> --- ISP A ---- ROUTER A (runs BGP) ---- INTERNAL NETWORK ----- ROUTER B
(runs BGP) ---- ISP B
>
>
> The problem i am having is: how to make sure that i don't have assymetric
routing (like i exit via router A,
> but come back via router B...). i don't think there really is a 100%
accurate solution.. (could use: AS path
> prepending, specific routes, MED, communities....but these can all be
overruled by the ISPs...)
>
> This assymetric routing complicates my security:
>
> - For anti-spoofing, I want to use the nifty new feature:
> ip verify unicast reverse-path
>
> --> This does not work in assymetric environments................
>
> Ok, here i can use an ACL to accomplish the same. (inbound ACL, deny my
own internal networks)
>
>
> - I want to protect myself from SYN attacks. Using
> - reflexive access-lists
> --> Will not work in an assymetric environment............
>
> - ip tcp intercept
> --> Will not work in an assymetric environment..............
>
> - i am stuck with the - not so secure - ACL:
> permit tcp any any established
>
> What other options do i have here ??
>
> Has anyone experience with this scenario ?
>
> Regards,
> Geert
>
############################################################################
#########
> This e-mail and any attached files are confidential and may be legally
privileged.
> If you are not the addressee, any disclosure, reproduction, copying,
distribution,
> or other dissemination or use of this communication is strictly
prohibited.
> If you have received this transmission in error please notify Simac
immediately
> and then delete this e-mail.
>
> Simac has taken all reasonable precautions to avoid virusses in this
email.
> Simac does not accept liability for damage by virusses, for the correct
and complete
> transmission of the information, nor for any delay or interruption of the
transmission,
> nor for damages arising from the use of or reliance on the information.
>
> All e-mail messages addressed to, received or sent by Simac or Simac
employees
> are deemed to be professional in nature. Accordingly, the sender or
recipient of
> these messages agrees that they may be read by other Simac employees than
the official
> recipient or sender in order to ensure the continuity of work-related
activities
> and allow supervision thereof.
>
############################################################################
#########
>
> _______________________________________________________________________
> Please help support GroupStudy by purchasing your study materials from:
> http://shop.groupstudy.com
>
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Sat Jul 03 2004 - 19:40:49 GMT-3