1. In terms of the customer facing L3 product: I deleted a whole chunk of this, but the goal isnt so much to deploy this for say your average retail ISP but ISP/MSP hybrids that are offering services to SMEs like L3VPNs, VPLS that sort of thing. Theres been a thrust towards perfecting the fully automated ISP as a service offering where the MSP integrates with the ISP to automate provisioning down to the last mile, have some middle guy designate the correct service definition etc. The problem is that all of these services in practical terms start off swinging terms like SDN around and end up with a half built interface and helpdesk defined networking. Its not even that hard. But its an offering that would take someone who right now pays for say 5 Layer 2 tails in a managed network and convert them over to something like 5 cheaper tails with encrypted by default networking.
Trust me when I say that a lot of people buying products like these trust their ISP implicitly and a service offering that was little to no touch for them to advertise new security features would be well regarded.
2. Even if you have good practices, your ISP is still a risk in terms of PID. This is something that a lot of ISPs want to change about themselves but dont have the time, patience or well lest face it technical capability to resolve. I could fill this forums database with the shit I have seen.
Just a couple of scenarios I have seen that I can easily file the serial numbers off of.
1. Small ISP sold a managed router product. Upon inquiring how they access these managed routers I was given a list of IP addresses and told to use PPTP. The PPTP tunnels were unauthenticated or at best simple creds, running on an alternate port. Saved likely because the vendor used a slightly weird pptp implementation and you may have needed to use their client for some software versions to initiate the tunnel. Customer was also a business with 5 offices and ~ 50 staff.
2. Small ISP exposed its vsphere management to the internet and got completely hosed by cryptolocker.
3. Small ISP stored all its customer details in an excel document in their public web directory.
4. Small ISP would routinely get hosed because they wanted all their infrastructure to be publicly routable, never applied updates and made sure their passwords were simple enough to be memorised by their most venerable field techs.
5. Small ISP provided a "Managed Network" to a serviced office firm. All businesses in the serviced office were layer 2 adjacent.
6. Medium size ISP would pass one clients traffic through up to 3 other customers managed routers before building egress.
7. Medium size ISP had field techs accessing their core network via a shared VPN credential that was not changed during staff turnover.
8. An ISP services platform that is well regarded in a small corner of wisp land uses a single vendors API to do everything. No Radius. No encryption. All tasks are completed by in the clear api calls. There is no vendor supported API based authentication method. So it simply polls every box in the network every minute and updates static ip addresses as needed. The developers have never heard of SNMP, so they just use the vendors built in bandwidth test against every link in your network every few minutes. Dont raise a support ticket, they dont want to know about standards and protocols because they are doing it their way which is the correct way.
The issue is that, depending on where you live in the world, telco can have razor thin margins and the worst salesmen imaginable. They often cant or wont hire a security specialist until its way too late. ISP owners will often just, ask another ISP owner complex technical questions and do whatever the other guy told me. I found a guy selling high value PTP links and he was using a network design that was common for trailer parks, and I asked him how he came up with that, he said he designed his network based around a very convincing facebook post.
You cant fix intentional ignorance. But while its legal for the intentionally ignorant to own and operate telecommunications infrastructure I humbly suggest "The Box" would be a very valuable product.
"The Box" gives you both staff and customer directory services, centralised and encrypted, with access methods requiring a baseline level of security.
"The Box" integrates with an idiots favourite network platform for authentication
"The Box" gives you super easy to delegate and revokable individually credentialed VPN access for field techs and contractors.
"The Box" can handle radius auth or ldap for authentication with most networking hardware
I would actually spend time suggesting this to anyone who has made me facepalm more than 3 times already.
1. In terms of the customer facing L3 product: I deleted a whole chunk of this, but the goal isnt so much to deploy this for say your average retail ISP but ISP/MSP hybrids that are offering services to SMEs like L3VPNs, VPLS that sort of thing. Theres been a thrust towards perfecting the fully automated ISP as a service offering where the MSP integrates with the ISP to automate provisioning down to the last mile, have some middle guy designate the correct service definition etc. The problem is that all of these services in practical terms start off swinging terms like SDN around and end up with a half built interface and helpdesk defined networking. Its not even that hard. But its an offering that would take someone who right now pays for say 5 Layer 2 tails in a managed network and convert them over to something like 5 cheaper tails with encrypted by default networking.
Trust me when I say that a lot of people buying products like these trust their ISP implicitly and a service offering that was little to no touch for them to advertise new security features would be well regarded.
2. Even if you have good practices, your ISP is still a risk in terms of PID. This is something that a lot of ISPs want to change about themselves but dont have the time, patience or well lest face it technical capability to resolve. I could fill this forums database with the shit I have seen.
Just a couple of scenarios I have seen that I can easily file the serial numbers off of.
1. Small ISP sold a managed router product. Upon inquiring how they access these managed routers I was given a list of IP addresses and told to use PPTP. The PPTP tunnels were unauthenticated or at best simple creds, running on an alternate port. Saved likely because the vendor used a slightly weird pptp implementation and you may have needed to use their client for some software versions to initiate the tunnel. Customer was also a business with 5 offices and ~ 50 staff.
2. Small ISP exposed its vsphere management to the internet and got completely hosed by cryptolocker.
3. Small ISP stored all its customer details in an excel document in their public web directory.
4. Small ISP would routinely get hosed because they wanted all their infrastructure to be publicly routable, never applied updates and made sure their passwords were simple enough to be memorised by their most venerable field techs.
5. Small ISP provided a "Managed Network" to a serviced office firm. All businesses in the serviced office were layer 2 adjacent.
6. Medium size ISP would pass one clients traffic through up to 3 other customers managed routers before building egress.
7. Medium size ISP had field techs accessing their core network via a shared VPN credential that was not changed during staff turnover.
8. An ISP services platform that is well regarded in a small corner of wisp land uses a single vendors API to do everything. No Radius. No encryption. All tasks are completed by in the clear api calls. There is no vendor supported API based authentication method. So it simply polls every box in the network every minute and updates static ip addresses as needed. The developers have never heard of SNMP, so they just use the vendors built in bandwidth test against every link in your network every few minutes. Dont raise a support ticket, they dont want to know about standards and protocols because they are doing it their way which is the correct way.
The issue is that, depending on where you live in the world, telco can have razor thin margins and the worst salesmen imaginable. They often cant or wont hire a security specialist until its way too late. ISP owners will often just, ask another ISP owner complex technical questions and do whatever the other guy told me. I found a guy selling high value PTP links and he was using a network design that was common for trailer parks, and I asked him how he came up with that, he said he designed his network based around a very convincing facebook post.
You cant fix intentional ignorance. But while its legal for the intentionally ignorant to own and operate telecommunications infrastructure I humbly suggest "The Box" would be a very valuable product.
"The Box" gives you both staff and customer directory services, centralised and encrypted, with access methods requiring a baseline level of security. "The Box" integrates with an idiots favourite network platform for authentication "The Box" gives you super easy to delegate and revokable individually credentialed VPN access for field techs and contractors. "The Box" can handle radius auth or ldap for authentication with most networking hardware
I would actually spend time suggesting this to anyone who has made me facepalm more than 3 times already.