[c-nsp] Giving customers access to your gear.

Daniel Hooper dhooper at emerge.net.au
Wed Jun 4 02:11:35 EDT 2008


Your large hotel chain techs sound like a bunch of gumbies, any tech
worth their salt would poll their own equipment and not the providers.

Provider: Lets feed them dummy snmp counters
Customer: hey your billing me for 500gb of traffic!!
Provider: yes.. don't your graphs reflect this? ;)

-Dan

> -----Original Message-----
> From: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-
> bounces at puck.nether.net] On Behalf Of Jon Lewis
> Sent: Wednesday, 4 June 2008 12:49 PM
> To: Richey
> Cc: cisco-nsp at puck.nether.net
> Subject: Re: [c-nsp] Giving customers access to your gear.
> 
> On Tue, 3 Jun 2008, Richey wrote:
> 
> > I've got a customer with a T1.  They have been bought out by a large
> hotel
> > chain.  They are pretty much demanding that they have SNMP full read
> access
> > to our router that is at their location as well as a copy of the
> config for
> > the router.   This is not their router, it is ours and we fully
> manage our
> 
> As long as you don't give them the clear text version of the enable
> secret, they can't do any damage, so what's the concern?  Having been
> on
> the customer end of this sort of arrangement long ago, I can
understand
> their concern.  They may want SNMP access for traffic/health graphing,
> and
> a copy of the config simply for auditing purposes to satisfy
themselves
> that the config is "secure" enough.
> 
> I'm sure _you_ wouldn't do this, but if you (as the ISP) were to make
> changes to your customer routes and break their internet connection,
> and
> then have all of your noc staff go fishing for the day, if they
> customer
> had enable, they could possibly fix their router...depending on
> how/where
> you broke things.  I've been there...didn't have access, couldn't fix
> it,
> and was not amused.
> 
> If they want access bad enough, since they do have physical access,
> they
> could just reboot, change the config-register, and have a copy of the
> config.
> 
> > router and hand them  Ethernet.     This seems a little odd that
they
> want
> > access to our gear, and I am not too keen on giving them access
> unless they
> > are willing to accept some responsibility.   They don't want to
> accept any
> > responsibility for the access they would have to this box.     They
> say that
> > Verizion and AT&T don't have any problems giving them this kind of
> access to
> > their gear.
> 
> If you give them enable, the rule is "you break it, you pay us to fix
> it".
> I also highly recommend rancid, so when they do break it or monkey
with
> it
> in any way, you get notification, and can easily see and back out
their
> changes.
> 
> ----------------------------------------------------------------------
>   Jon Lewis                   |  I route
>   Senior Network Engineer     |  therefore you are
>   Atlantic Net                |
> _________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list