Details
Logging changes to the BGP peering relationships is recommended. Any logged changes will in the best case indicate a service issue due to standard operational issues (connectivity issues and so on) or in the worst case, could indicate malicious activity attempting to subvert the peering relationship and/or the routing table.
Rationale:
Solution
In each ‘neigbor’ stanza of the BGP configuration, add the command ‘log-neighbor-changes’
switch(config)# router bgp
switch(config-router)# router-id
switch(config-router)# neighbor
switch(config-router-neighbor)# remote-as
switch(config-router-neighbor)# log-neighbor-changes
In addition, the events below should be configured in any log or SIEM solution to generate an alert for investigation. A good keyword to alert on is ‘ADJCHANGE’
2020 May 20 11:54:18 CISNXOS9 %BGP-5-ADJCHANGE: bgp- [7984] (default) neighbor 10.10.10.11 Up
2020 May 20 13:08:15 CISNXOS9 %BGP-5-ADJCHANGE: bgp- [7984] (default) neighbor 10.10.10.11 Down – sent: holdtimer expired error
Default Value:
Not enabled
Supportive Information
The following resource is also helpful.
This security hardening control applies to the following category of controls within NIST 800-53: Configuration Management.This control applies to the following type of system Cisco.