On 15 September 2016 at 11:46, John Bourke <john.bou...@mobileinternet.com> wrote: > Hi, > > > > Touchy subject, but can anyone share some war stories about how they keep > raw Internet traffic away from ISP operational systems, which be definition > need to talk to the equipment which carries that Internet traffic.
I'm not 100% certain of what you are looking for here but if you search through the list archives for the c-nsp and j-nsp mailing lists (others too I'm sure) you'll see many discussions about ISPs moving the Internet into a dedicated L3VPN. In that example keeping the internet traffic in a dedicated L3VPN and say having a separate dedicated L3VPN for management traffic segregates the two traffic types but the NMS/OSS/BSS systems still have access to the routers (if you configure them to allow management access from within that management L3VPN). I’m not sure where the horror stories fit in to this that specifically relate to the Internet? A decent ISP (IMO) should have good control plane and infrastructure protection in place, so there should be no threat. I think the main issues from the Internet into the ISPs OSS/BSS systems is DDoS traffic, either targeted at the ISP or a downstream customer that fills the pipes and they can’t even get management access to their devices (perhaps no out of band connectivity for example). But control plane attacks can come from within the IPS, not just out on the Internet and can be fairly well defended against. Cheers, James.