From owner-freebsd-isp Sat Aug 21 8:49:19 1999 Delivered-To: freebsd-isp@freebsd.org Received: from smtp1.xs4all.nl (smtp1.xs4all.nl [194.109.127.48]) by hub.freebsd.org (Postfix) with ESMTP id 1E40E14E90 for ; Sat, 21 Aug 1999 08:49:16 -0700 (PDT) (envelope-from niels@bakker.net) Received: from liquid.tpb.net (arctic.xs4all.nl [194.109.37.82]) by smtp1.xs4all.nl (8.9.3/8.9.3) with ESMTP id RAA08753; Sat, 21 Aug 1999 17:07:42 +0200 (CEST) Received: from localhost (niels@localhost) by liquid.tpb.net (8.9.3/8.9.3/Debian/GNU) with ESMTP id RAA22721; Sat, 21 Aug 1999 17:07:41 +0200 Date: Sat, 21 Aug 1999 17:07:40 +0200 (CEST) From: N X-Sender: niels@liquid.tpb.net To: Evren Yurtesen Cc: freebsd-isp@FreeBSD.ORG Subject: Re: multiple machines in the same network In-Reply-To: <37BDA7A6.D999F103@ispro.net.tr> Message-ID: <9908211658400.22597-100000@liquid.tpb.net> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-isp@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org > We are an ISP and we want to let our customers to put their own hardware > into our network. But the thing we are concerned about is security of > course. How can we protect our system from customers' machines? Buy another Ethernet port for the router that connects to the leased line to your upstream, hang a subnet off it and only attach customers there. Don't let them or their machines come anywhere near yours. Be especially wary of routing protocols. Build access lists with a vengeance. Separate rooms are preferred. UUnet do it nicely: at MAE-East (the only place I have experience with this) you get a swipe card that gets you into the building, plus another card that gets you into the colo room. All 19" racks are locked (well, most of them :), you can't reach the next one from inside its neighbour as well. You get one key, another is kept locked away by UUnet personnel in case you want them to do `remote-hands' service on your hardware (i.e. powercycle it) or a telco has to connect new infrastructure etc. The disadvantage of it is that it eats space and costs increase due to the additional physical esecurity requirements. You will have to decide whether that'll be worth it over only allowing supervised access to co-located machines. FWIW, we do the latter, with 24h remote-hands service for customers who want that (and want to pay for it :). HTH, -- Niels. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-isp" in the body of the message