On Mon, 02 Jun 97 11:37:15 PDT Mariko Yashada <mariko @
<snip synopsis> - the idea of taking an ISP's word that
their leased line to you through a "private" router engaged
in their system is sufficient to hang the company jewels on
quite securely and without a firewall...
> My question is, how secure is this type of connection? How difficult is it
> for someone outside the ISP domain to discover and access our connection?
In my professional opinion, if an ISP salesman said that to
me, I'd ask him to bring his technical people along for a
discussion, where I'd ask them a whole series of techie
questions the answers to which would probably be not
satisfactory. That is because I work for a large integrated
organization. If I were in the same position in a large
private organization with as much value on the line as the
average government, I wouldn't bother that vendor with the
inquisition, I would find another ISP.
In my opinion, a firewall is NECESSARY in the loop with the
public internet. I wouldn't like to consider what might
happen without one.
a) you don't have enough contracting authority in the usual
arrangement witb an ISP to ensure the proper steps are
always taken on your behalf.
b) You can't manage change control at all on their system.
c) You have no assurance of high priority action on your
behalf in the event of a breach of their security.
Strictly from a security management position, never mind
the technicalities, I don't think what your ISP is
proposing is what I would consider a good idea,
if I were in your shoes...
This is a personal, professional opinion.
Information Security Coordinator
Information Services Branch
Department of Government Services
Government of Yukon
Phone: (403) 667-8081
Fax: (403) 667-5304
Netmail: kwiat @