C H A P T E R
In this chapter, we recommend security measures for every router and progress to customer
edge, core infrastructure, and provider edge security mechanisms. The reader will ﬁnd a full
provider edge conﬁguration example in Appendix A with a clariﬁcation of key security
In any network, security considerations devolve into essentially two areas of focus, this
ﬁrst area being compromises that can be either accidental or deliberate. Accidental
compromises can occur as a result of misconﬁgurations or by anticipated changes in the
network. Alternatively, compromises can be deliberate, such as attacks by some miscreant
entity determined to cause havoc. In either case, the risk vectors are either external, such
as issues driven by events external to the network in question, or internal, such as problems
that are sourced from within the network itself.
The methods used to accomplish the compromises are the second area of focus. Most
security-related problems fall into the categories of Denial of Service (DoS) or intrusion
in any network. Security considerations devolve into essentially two sets of two types of
issues. Compromises are either of the following:
• Accidental—Problems that occur due to misconﬁgurations or anticipated changes in
• Deliberate—Attacks by some entity bent on causing havoc
The risk factors of these compromises are either external (issues driven by events external
to the network in question) or internal (problems sourced from within the network itself).
Additionally, most security-related problems fall into two categories:
• Denial of Service (DoS)—These events may be intentional or accidental.
• Reconnaisance—These issues by deﬁnition are intentional.
It is essential to harden the network components and the entire system to minimize the
likelihood of any of these scenarios. However, as with all resource-consuming features,
you must strike a balance between maximizing security and offering the performance
and usability the service is intended to provide. Clearly, a completely disconnected
host or router has total security; however, its ability to forward data or provide services
is substantially compromised.