[c-nsp] Giving customers access to your gear.
Daniel Hooper
dhooper at emerge.net.au
Wed Jun 4 02:11:35 EDT 2008
Your large hotel chain techs sound like a bunch of gumbies, any tech
worth their salt would poll their own equipment and not the providers.
Provider: Lets feed them dummy snmp counters
Customer: hey your billing me for 500gb of traffic!!
Provider: yes.. don't your graphs reflect this? ;)
-Dan
> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Jon Lewis
> Sent: Wednesday, 4 June 2008 12:49 PM
> To: Richey
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Giving customers access to your gear.
>
> On Tue, 3 Jun 2008, Richey wrote:
>
> > I've got a customer with a T1. They have been bought out by a large
> hotel
> > chain. They are pretty much demanding that they have SNMP full read
> access
> > to our router that is at their location as well as a copy of the
> config for
> > the router. This is not their router, it is ours and we fully
> manage our
>
> As long as you don't give them the clear text version of the enable
> secret, they can't do any damage, so what's the concern? Having been
> on
> the customer end of this sort of arrangement long ago, I can
understand
> their concern. They may want SNMP access for traffic/health graphing,
> and
> a copy of the config simply for auditing purposes to satisfy
themselves
> that the config is "secure" enough.
>
> I'm sure _you_ wouldn't do this, but if you (as the ISP) were to make
> changes to your customer routes and break their internet connection,
> and
> then have all of your noc staff go fishing for the day, if they
> customer
> had enable, they could possibly fix their router...depending on
> how/where
> you broke things. I've been there...didn't have access, couldn't fix
> it,
> and was not amused.
>
> If they want access bad enough, since they do have physical access,
> they
> could just reboot, change the config-register, and have a copy of the
> config.
>
> > router and hand them Ethernet. This seems a little odd that
they
> want
> > access to our gear, and I am not too keen on giving them access
> unless they
> > are willing to accept some responsibility. They don't want to
> accept any
> > responsibility for the access they would have to this box. They
> say that
> > Verizion and AT&T don't have any problems giving them this kind of
> access to
> > their gear.
>
> If you give them enable, the rule is "you break it, you pay us to fix
> it".
> I also highly recommend rancid, so when they do break it or monkey
with
> it
> in any way, you get notification, and can easily see and back out
their
> changes.
>
> ----------------------------------------------------------------------
> Jon Lewis | I route
> Senior Network Engineer | therefore you are
> Atlantic Net |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
More information about the cisco-nsp
mailing list