Re: [c-nsp] Giving customers access to your gear.

Tue, 03 Jun 2008 21:51:52 -0700 

On Tue, 3 Jun 2008, Richey wrote:


I've got a customer with a T1.  They have been bought out by a large hotel
chain.  They are pretty much demanding that they have SNMP full read access
to our router that is at their location as well as a copy of the config for
the router.   This is not their router, it is ours and we fully manage our



As long as you don't give them the clear text version of the enable 
secret, they can't do any damage, so what's the concern?  Having been on 
the customer end of this sort of arrangement long ago, I can understand 
their concern.  They may want SNMP access for traffic/health graphing, and 
a copy of the config simply for auditing purposes to satisfy themselves 
that the config is "secure" enough.



I'm sure _you_ wouldn't do this, but if you (as the ISP) were to make 
changes to your customer routes and break their internet connection, and 
then have all of your noc staff go fishing for the day, if they customer 
had enable, they could possibly fix their router...depending on how/where 
you broke things.  I've been there...didn't have access, couldn't fix it, 
and was not amused.



If they want access bad enough, since they do have physical access, they 
could just reboot, change the config-register, and have a copy of the 
config.



router and hand them  Ethernet.     This seems a little odd that they want
access to our gear, and I am not too keen on giving them access unless they
are willing to accept some responsibility.   They don't want to accept any
responsibility for the access they would have to this box.     They say that
Verizion and AT&T don't have any problems giving them this kind of access to
their gear.



If you give them enable, the rule is "you break it, you pay us to fix it". 
I also highly recommend rancid, so when they do break it or monkey with it 
in any way, you get notification, and can easily see and back out their 
changes.


----------------------------------------------------------------------
 Jon Lewis                   |  I route
 Senior Network Engineer     |  therefore you are
 Atlantic Net                |
_________ http://www.lewis.org/~jlewis/pgp for PGP public key_________
_______________________________________________
cisco-nsp mailing list  cisco-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/























					Reply via email to