The solution and the benefits
The approach used to work with all the security aspects in an ISP is the division into separate levels and the execution, within each of the levels, of specific protection methods:
Assurance of the control layer: This layer is based on the signaling traffic and on the routing protocols inside the service provider's network and in the connections to the clients and peers. Some of the security characteristics to be taken into account to ensure the control level are the BGP routes filtering in connections to clients and to other ISP peers, the exchange control between EBGP and IBGP routes, the control and monitoring of the routing tables, the authentication of the routing protocols’ sessions, the enabling of BGP dampening to avoid the flapping effects, the reinforcement of TTL of the BGP packages, the insurance of IGP and LDP and the limitations of the amount of ICMP messages to protect the DoS attack, among others.
Assurance of the management layer: The management and administration layer is important to insure the access to the devices. Some of the important items to be taken into account are to disable the unused services, enable the password encrypting, configure appropriately the types of users, enable the encrypting protocols like SSH, enable AAA in the devices using Radius or TACAC servers, to enable the NTP and SNMP, the logging of messages and out of band access, among other things.
Assurance of the data layer: The data layer covers packents sent from and to the ISP clients. It is the traffic that should not be routed to the devices in the internal network. Some of the things to be taken into account are: the list of Antispoofing access, the access lists for the filtering of the networks defined in the RFC 1918, the access lists to avoid that the clients reach the infrastructure devices, the access lists to classify the types of traffic, among others.
The service providers have a particular set of implementations. There is not an only solution to secure the network. These solutions must be analyzed based on the experience and the best practices established.