[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Different Customers, Different Security Requirements



-----BEGIN PGP SIGNED MESSAGE-----

In the spirit of following up on commitments...

An ISP purchasing NxDS3 connectivity from a tier 1 provider should
have vastly different security expectations from a home user
purchasing a dial-up connection or a small business looking for some
one host their web site.  Towards that end, it might be useful to get a
rough consensus of just what the different types of customers are.  
- From there we can then better determine what those customers, since
some of "those customers" are us, expect vs. what we can provide.
Towards that end, I'll give y'all the categories I mentally divide
customers into.

1.	Transit providers:

	The basic ISP, transport based, fee for connectivity,
	multi-homed, 24x7 operation. They provide connectivity and
	assure traffic hand-off to and from the customer, the customer
	to provide the rest.  Your basic upper tier ISPs.

2.	Service based providers:

	Web hosting, managed services, etc.  expertise for hire,
	24x7 operation.  May or may not provide transit services.

These two distinctions are rapidly blurring.  It's possible that the
distinction, if any, should be based on whether the customer
provides transit services.


3.	Institutional users:

	These may be corporate or educational facilities.  Their primary
	requirement is dependable connectivity.  They are probably
	multi-homed for redundancy, but typically don't provide transit
	services.  They may have their own networking group, and may
	or may not have a 24x7 shop.

1, 2 and 3, beyond the expectations of a rational AUP, accessible
security contacts, and a well defined response policy, will be
interested in such things as ingress/egress filtering, (secure)  
Routing Registry and DNS policies and procedures, co-lo questions,
etc.

4.	Business users:

	They aren't in the business of being an ISP and don't want to be,
	that's what they pay the service provider to be.  May be
	multi-homed, bread and butter for your typical managed services
	operation.  May have one or two servers on site.  Typically
	not a 24x7 operation.  Web hosting, e-commerce, managed
	router/LAN.  Expect lots of hand holding.

AUP, security contacts, intrusion detection/countermeasures, DoS
response. These folks are paying for someone else to deal with the
management issues, of which security is just one of many, and are
looking for someone to tell them that things are being handled, not to
smother them with details they don't have time to deal with.  
Arguably the ones who would get the most benefit from the user doc.

5.	Dial users:

	Self explanatory.

Rationally configured SMTP service, reasonable SPAM policy.


I've found 1, by definition, and sometimes 2, to be transit
networks, while 3 and 4 are typically stubs.

- -- 
Rusty Zickefoose  |  The most exciting phrase to hear in science,
rusty@cw.net      |  the one that heralds new discoveries, is not
                  |  "Eureka!", but "That's funny ..."
                  |  -- Isaac Asimov

-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv
Comment: Public key may be found at http://pgpkeys.mit.edu:11371

iQCVAgUBNrQKXe4+ch/bGDylAQGwWQP/dTDETGa/l9MsthHcEQCMzNflWyDg4rjj
UZj2VFBSLgVLe4wCvkRz0dMiqbVL4nz1xJRzLhb2zUqguJg9cXC1D6Fh3YiIdK/S
l07Y0j6N+jlqctqCeE5NGhvkCkREhw5YLj+Uyfygeucugqzt6RWZLQ2TURLUWLSw
0ieoz7L9duU=
=QwDq
-----END PGP SIGNATURE-----