Re: [uknof] ISP Security architecture

2016-09-21 Thread John Bourke 
James,

You hit the nail on the head there.

I was trying to avoid overkill.  In Telecoms networks you would have

Management plane
Control/Signalling plane
User/Data plane

Usually these are separated at SDH or ATM level as separate VCs.

The Enterprise view would be to physically separate networks

Internet
DMZ
Core

But in an ISP you are not going to build a physical separate network.

Then the private cloud view is that all of these are together, separated by 
network and server virtualisation.

I think the danger is trying to use Enterprise models for Service Providers, 
where even those Enterprise models are blurring.

Thanks

John

-Original Message-
From: uknof [mailto:uknof-boun...@lists.uknof.org.uk] On Behalf Of James Bensley
Sent: 21 September 2016 09:38
To: uknof@lists.uknof.org.uk
Subject: Re: [uknof] ISP Security architecture

On 15 September 2016 at 11:46, John Bourke <john.bou...@mobileinternet.com> 
wrote:
> Hi,
>
>
>
> Touchy subject, but can anyone share some war stories about how they
> keep raw Internet traffic away from ISP operational systems, which be
> definition need to talk to the equipment which carries that Internet traffic.


I'm not 100% certain of what you are looking for here but if you search through 
the list archives for the c-nsp and j-nsp mailing lists (others too I'm sure) 
you'll see many discussions about ISPs moving the Internet into a dedicated 
L3VPN.

In that example keeping the internet traffic in a dedicated L3VPN and say 
having a separate dedicated L3VPN for management traffic segregates the two 
traffic types but the NMS/OSS/BSS systems still have access to the routers (if 
you configure them to allow management access from within that management 
L3VPN).

I’m not sure where the horror stories fit in to this that specifically relate 
to the Internet? A decent ISP (IMO) should have good control plane and 
infrastructure protection in place, so there should be no threat. I think the 
main issues from the Internet into the ISPs OSS/BSS systems is DDoS traffic, 
either targeted at the ISP or a downstream customer that fills the pipes and 
they can’t even get management access to their devices (perhaps no out of band 
connectivity for example). But control plane attacks can come from within the 
IPS, not just out on the Internet and can be fairly well defended against.


Cheers,
James.




John Bourke

Re: [uknof] ISP Security architecture

2016-09-21 Thread James Bensley 
On 15 September 2016 at 11:46, John Bourke
 wrote:
> Hi,
>
>
>
> Touchy subject, but can anyone share some war stories about how they keep
> raw Internet traffic away from ISP operational systems, which be definition
> need to talk to the equipment which carries that Internet traffic.


I'm not 100% certain of what you are looking for here but if you
search through the list archives for the c-nsp and j-nsp mailing lists
(others too I'm sure) you'll see many discussions about ISPs moving
the Internet into a dedicated L3VPN.

In that example keeping the internet traffic in a dedicated L3VPN and
say having a separate dedicated L3VPN for management traffic
segregates the two traffic types but the NMS/OSS/BSS systems still
have access to the routers (if you configure them to allow management
access from within that management L3VPN).

I’m not sure where the horror stories fit in to this that specifically
relate to the Internet? A decent ISP (IMO) should have good control
plane and infrastructure protection in place, so there should be no
threat. I think the main issues from the Internet into the ISPs
OSS/BSS systems is DDoS traffic, either targeted at the ISP or a
downstream customer that fills the pipes and they can’t even get
management access to their devices (perhaps no out of band
connectivity for example). But control plane attacks can come from
within the IPS, not just out on the Internet and can be fairly well
defended against.


Cheers,
James.

[uknof] ISP Security architecture

2016-09-15 Thread John Bourke 
Hi,

Touchy subject, but can anyone share some war stories about how they keep raw 
Internet traffic away from ISP operational systems, which be definition need to 
talk to the equipment which carries that Internet traffic.

Thanks

John


John Bourke