Date: Sat, 21 Aug 1999 17:07:40 +0200 (CEST) From: N <niels@bakker.net> To: Evren Yurtesen <yurtesen@ispro.net.tr> Cc: freebsd-isp@FreeBSD.ORG Subject: Re: multiple machines in the same network Message-ID: <9908211658400.22597-100000@liquid.tpb.net> In-Reply-To: <37BDA7A6.D999F103@ispro.net.tr>
next in thread | previous in thread | raw e-mail | index | archive | help
> We are an ISP and we want to let our customers to put their own hardware > into our network. But the thing we are concerned about is security of > course. How can we protect our system from customers' machines? Buy another Ethernet port for the router that connects to the leased line to your upstream, hang a subnet off it and only attach customers there. Don't let them or their machines come anywhere near yours. Be especially wary of routing protocols. Build access lists with a vengeance. Separate rooms are preferred. UUnet do it nicely: at MAE-East (the only place I have experience with this) you get a swipe card that gets you into the building, plus another card that gets you into the colo room. All 19" racks are locked (well, most of them :), you can't reach the next one from inside its neighbour as well. You get one key, another is kept locked away by UUnet personnel in case you want them to do `remote-hands' service on your hardware (i.e. powercycle it) or a telco has to connect new infrastructure etc. The disadvantage of it is that it eats space and costs increase due to the additional physical esecurity requirements. You will have to decide whether that'll be worth it over only allowing supervised access to co-located machines. FWIW, we do the latter, with 24h remote-hands service for customers who want that (and want to pay for it :). HTH, -- Niels. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?9908211658400.22597-100000>