I have, after substantial reflection, a question that Brent may consider relevant
for the list (gentle poke, Brent, don't hit me :-):
I'm working with several small ISPs which have different requirements
from my commercial/industrial customers in that they have to maintain some level
of openness.
My question is this: Can any of the ISPs monitoring this list share with me the
hardening methodologies they use to secure their backbone and CPE while still
performing all necessary services to customers and allowing unrestricted traffic
flow between the Internet and customers (all the ISPs I work with have a policy
that security for customer networks is the responsibility of the customer)?
Most of it is common sense. Bastion hosts at the head-end are pretty much out,
and these providers are not in a position to afford lots of dedicated security
hosts. This means router and individual host hardening. I'm mostly curious
what protocols and services providers permit and deny to their backbone
equipment and specifically in cases (as with these small providers) where
individual dialup SLIP/PPP (implying POP3, remote news reading, etc.) is a major
component of service. If someone would be willing to share the benefit of their
experience in this area I'd appreciate it. The equipment I'm working with is
pretty much universally Cisco, Morning Star (EXPRESS routers), and lots of
Livingston stuff (as one might guess).
I'd be happy to summarize/post to the list if that's of interest.
Andy
|
|
