After a security incident, a network security engineer discovers that a portion of the company's sensitive external traffic has been redirected through a secondary ISP that is not normally used.
Which of the following would BEST secure the routes while allowing the network to function in the event of a single provider failure?
Click on the arrows to vote for the correct answer
A. B. C. D.B.
In this scenario, the company's sensitive external traffic has been redirected through a secondary ISP that is not normally used, indicating a potential compromise of the company's network. To secure the routes while allowing the network to function in the event of a single provider failure, the network security engineer has several options:
A. Disable BGP and implement a single static route for each internal network: Disabling Border Gateway Protocol (BGP) and implementing a single static route for each internal network is not a viable option because it will limit network scalability and redundancy. Moreover, a single static route for each network is not flexible enough to handle complex network topologies. This option is not a recommended solution.
B. Implement a BGP route reflector: BGP route reflector is a mechanism that reduces the amount of full-mesh iBGP (internal BGP) peerings, which can be beneficial for scalability and reduces BGP convergence times. However, a route reflector alone does not provide any additional security benefits, and it cannot secure the routes from a compromised ISP.
C. Implement an inbound BGP prefix list: Implementing an inbound BGP prefix list allows a network operator to filter the prefixes received from a specific ISP, which can be beneficial in securing the routes. By using an inbound BGP prefix list, a network security engineer can limit the prefixes received from the secondary ISP and allow only trusted prefixes to be installed in the routing table. However, an inbound BGP prefix list is not a complete solution, as it can only filter prefixes based on their source and not on their content.
D. Disable BGP and implement OSPF: Disabling BGP and implementing Open Shortest Path First (OSPF) is not a viable solution for securing the routes in a multi-homed environment. OSPF is an interior gateway protocol that is designed for single-homed networks, and it cannot handle multiple paths to the same destination. Additionally, OSPF is not designed to handle external routing information.
In summary, the BEST solution for securing the routes while allowing the network to function in the event of a single provider failure is to implement an inbound BGP prefix list (Option C). While it is not a complete solution, it can help to filter the prefixes received from the compromised ISP and allow only trusted prefixes to be installed in the routing table.