Best Practices Common to Both IPv4 and IPv6

For both protocol stacks, here are some recommended best practices, which is a great place to start your network configuration:

Physical security: Keep the room where the router is housed free (safe) from electrostatic and magnetic interference. It should also be temperature and humidity controlled. There should be controlled and logged access to that physical room. Redundant systems for electricity that feed into the routers are part of this, as well.

Device hardening: Disable services that are not in use and features and interfaces that are not in use. You learned about this concept in an earlier chapter with regard to Cisco Configuration Professional (CCP). A great reference for these best practices is the Cisco Guide to Harden Cisco IOS Devices (http://www.cisco.com/c/en/us/support/docs/ip/access-lists/13608-21.html).

Control access between zones: Enforce a security policy that clearly identifies which packets are allowed between networks (using either simple access list controls or more advanced controls such as stateful inspection that leverages firewall features on a router or a dedicated firewall appliance, all of which are covered extensively in other chapters in this book).

Routing protocol security: Use authentication with routing protocols to help stop rogue devices from abusing the information being used in routing updates by your routers. You can find more information on this topic in Chapter 13, “Securing Routing Protocols and the Control Plane.”

Authentication, authorization, and accounting (AAA): Require AAA so that you know exactly who is accessing your systems, when they are accessing your systems, and what they are doing. You learned about AAA in earlier chapters. Network Time Protocol (NTP) is a critical part to ensure that time stamps reflect reality. Check log files periodically. All management protocols should be used with cryptographic services. Secure Shell (SSH) and Hypertext Transfer Protocol Secure (HTTPS) include these features. Place Telnet and HTTP inside of an encrypted virtual private network (VPN) tunnel to meet this requirement.

Mitigating DoS attacks: Denial of service refers to willful attempts to disrupt legitimate users from getting access to the resources they intend to use. Although no complete solution exists, administrators can do specific things to protect the network from a DoS attack and to lessen its effects and prevent a would-be attacker from using a system as a source of an attack directed at other systems. These mitigation techniques include filtering based on bogus source IP addresses trying to come into the networks and vice versa. Unicast reverse path verification is one way to assist with this, as are access lists. Unicast reverse path verification looks at the source IP address as it comes into an interface, and then looks at the routing table. If the source address seen would not be reachable out of the same interface it is coming in on, the packet is considered bad, potentially spoofed, and is dropped.

Have and update a security policy: A security policy should be referenced and possibly updated whenever major changes occur to the administrative practices, procedures, or staff. If new technologies are implemented, such as a new VPN or a new application that is using unique protocols or different protocols than your current security policy allows, this is another reason to revisit the security policy. Another time a security policy might need to be updated is after a significant attack or compromise to the network has been discovered.