C H A P T E R
5
Security Recommendations
In this chapter, we recommend security measures for every router and progress to customer
edge, core infrastructure, and provider edge security mechanisms. The reader will find a full
provider edge configuration example in Appendix A with a clarification of key security
explanations.
In any network, security considerations devolve into essentially two areas of focus, this
first area being compromises that can be either accidental or deliberate. Accidental
compromises can occur as a result of misconfigurations or by anticipated changes in the
network. Alternatively, compromises can be deliberate, such as attacks by some miscreant
entity determined to cause havoc. In either case, the risk vectors are either external, such
as issues driven by events external to the network in question, or internal, such as problems
that are sourced from within the network itself.
The methods used to accomplish the compromises are the second area of focus. Most
security-related problems fall into the categories of Denial of Service (DoS) or intrusion
in any network. Security considerations devolve into essentially two sets of two types of
issues. Compromises are either of the following:
• Accidental—Problems that occur due to misconfigurations or anticipated changes in
the network
• Deliberate—Attacks by some entity bent on causing havoc
The risk factors of these compromises are either external (issues driven by events external
to the network in question) or internal (problems sourced from within the network itself).
Additionally, most security-related problems fall into two categories:
• Denial of Service (DoS)—These events may be intentional or accidental.
• Reconnaisance—These issues by definition are intentional.
It is essential to harden the network components and the entire system to minimize the
likelihood of any of these scenarios. However, as with all resource-consuming features,
you must strike a balance between maximizing security and offering the performance
and usability the service is intended to provide. Clearly, a completely disconnected
host or router has total security; however, its ability to forward data or provide services
is substantially compromised.
Get MPLS VPN Security now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
