Leased line router - whose responsibility?
Discussion
My business has a 1000Mbps leased line from VirginMediaO2. The Cisco router they supplied and installed many years ago is end of life. I'm trying to get them to replace it with a new one but they insist the only way they can do this is for me to sign up for a new 3 year contract. Surely they are responsible for ensuring their equipment is up to date with firmware updates etc. Anyone able to offer any insight? I really don't know where I stand. I've read the "Dedicated Internet Access Service Schedule" and the "Agreement for Provision of Services" documents and neither has anything to say about this scenario.
I've managed 100's of leased lines and any equipment not managed by my firm is assumed a security risk, so however a line is terminated it goes into one of our internet-facing routers or firewalls with appropriate security in place. Are you actually using the router for internal purposes (DHCP/Firewall) etc?
I don't think we've ever approached a carrier to tell them to upgrade their equipment unless there is a fault.
It's about as clear a demark as you can get.
I don't think we've ever approached a carrier to tell them to upgrade their equipment unless there is a fault.
It's about as clear a demark as you can get.
As Brother D says the Cisco Router is there purely to terminate Virgin's line into your property. You have no access or control over this device so you should have your own equipment sat in front of it that your LAN can connect to.
Your own device (which should be a firewall or have firewall capabilities) should be where all your local computers etc. terminate.***
This device would only allow certain traffic in and out to Virgin's network and the internet. You should always treat an ISP connection and kit as "dirty" and take your own security precautions.
And the sales folk at Virgin get paid more for a new line than an upgrade or renewal so most answers will be "new line". It won't solve the problem you apparently have though.
Your own device (which should be a firewall or have firewall capabilities) should be where all your local computers etc. terminate.***
This device would only allow certain traffic in and out to Virgin's network and the internet. You should always treat an ISP connection and kit as "dirty" and take your own security precautions.
And the sales folk at Virgin get paid more for a new line than an upgrade or renewal so most answers will be "new line". It won't solve the problem you apparently have though.
- *This may vary depending on how many devices you have, size of network etc.
Edited by skyebear on Wednesday 11th June 16:47
You're buying a service not a particular box. Assuming you are using and managing a security device between the vVirgin Cisco unit and your network then there's nothing to think about. If the router is compromised it's Virgins network at risk not yours and it's their responsibility to restore the service.
I've never known a service provider carry out a CPE refresh program unless the existing kit can't deliver required services such as a speed upgrade.
I've never known a service provider carry out a CPE refresh program unless the existing kit can't deliver required services such as a speed upgrade.
Edited by ffc on Wednesday 11th June 17:01
With respect if you wanted to get involved in the equipment you ought to have bought a "wires only" setup, and provisioned your own router.
If it works - what difference does it make if it's "end of life"? Is there some vulnerability you believe the equipment is vulnerable to? If there is, that would be your angle for getting it replaced - but that's only likely to go anywhere if it's remotely exploitable without privileges.
As an aside I would be surprised if the router you've got is even running the current firmware. It may even have not been updated since it was installed. It's not something they could do without some downtime for you, and they will have no idea of what you're going to hang off of it once installed - you could be running a high availability setup that needs to be operational 24/7 for all they know, so unless they've spoken to you about planned downtime then it's likely never happened.
As aluded to above they're unlikely to mess with provisioned CPE unless there is an actual identified or reported issue impacting SLA. It costs engineer time at no strict benefit to them, and customers are generally oblivious (service is either up or not).
If it works - what difference does it make if it's "end of life"? Is there some vulnerability you believe the equipment is vulnerable to? If there is, that would be your angle for getting it replaced - but that's only likely to go anywhere if it's remotely exploitable without privileges.
As an aside I would be surprised if the router you've got is even running the current firmware. It may even have not been updated since it was installed. It's not something they could do without some downtime for you, and they will have no idea of what you're going to hang off of it once installed - you could be running a high availability setup that needs to be operational 24/7 for all they know, so unless they've spoken to you about planned downtime then it's likely never happened.
As aluded to above they're unlikely to mess with provisioned CPE unless there is an actual identified or reported issue impacting SLA. It costs engineer time at no strict benefit to them, and customers are generally oblivious (service is either up or not).
Edited by Durzel on Wednesday 11th June 17:46
Brother D said:
I've managed 100's of leased lines and any equipment not managed by my firm is assumed a security risk, so however a line is terminated it goes into one of our internet-facing routers or firewalls with appropriate security in place. Are you actually using the router for internal purposes (DHCP/Firewall) etc?
I don't think we've ever approached a carrier to tell them to upgrade their equipment unless there is a fault.
It's about as clear a demark as you can get.
I've configured and looked after a few leased lines in my time, and it's always been this way. ISP provides an NTE and usually a Cisco box that you have no admin access to. You then install your own hardware of choice to handle firewalls and DHCP in front of that.I don't think we've ever approached a carrier to tell them to upgrade their equipment unless there is a fault.
It's about as clear a demark as you can get.
I can see both sides of this.
I'd find it tricky to "unsee" a shabby old end of life piece of kit on my premises.
The way I'd try to square it if you get no joy is that you have absolutely no idea what they're running upstream from that.
i.e. they ship you a shiny new router tomorrow - great - but what's upstream from there that you can't see?
I'd find it tricky to "unsee" a shabby old end of life piece of kit on my premises.
The way I'd try to square it if you get no joy is that you have absolutely no idea what they're running upstream from that.
i.e. they ship you a shiny new router tomorrow - great - but what's upstream from there that you can't see?
In all my years in IT management I never once gave a second glance to many of the beige plstic monstrocities that were NTEs. As long as the wire that came out of them gave me reliable internet access, I didn't care what they looked like or how old they were.
If your internet connection is unreliable due to the box then I understand, but if it works, I can see Virgin's stance - why spend on an unecessary box with no upside to them?
If your internet connection is unreliable due to the box then I understand, but if it works, I can see Virgin's stance - why spend on an unecessary box with no upside to them?
Brother D said:
I've managed 100's of leased lines and any equipment not managed by my firm is assumed a security risk, so however a line is terminated it goes into one of our internet-facing routers or firewalls with appropriate security in place. Are you actually using the router for internal purposes (DHCP/Firewall) etc?
I don't think we've ever approached a carrier to tell them to upgrade their equipment unless there is a fault.
It's about as clear a demark as you can get.
I should have been clearer in my original post. We have a good firewall in place and appropriate security measures. We are not using the router for DHCP, firewall etc. In fact we have no access to / control over it so couldn't even if we wanted to. It's only an issue because our Cyber Essentials assessor has highlighted it and said it needs to be replaced.I don't think we've ever approached a carrier to tell them to upgrade their equipment unless there is a fault.
It's about as clear a demark as you can get.
skyebear said:
As Brother D says the Cisco Router is there purely to terminate Virgin's line into your property. You have no access or control over this device so you should have your own equipment sat in front of it that your LAN can connect to.
Your own device (which should be a firewall or have firewall capabilities) should be where all your local computers etc. terminate.***
This device would only allow certain traffic in and out to Virgin's network and the internet. You should always treat an ISP connection and kit as "dirty" and take your own security precautions.
And the sales folk at Virgin get paid more for a new line than an upgrade or renewal so most answers will be "new line". It won't solve the problem you apparently have though.
We have a good firewall and appropriate security in place. This is only an issue because our Cyber Essentials assessor has hightlighted it and said it needs to be replaced.Your own device (which should be a firewall or have firewall capabilities) should be where all your local computers etc. terminate.***
This device would only allow certain traffic in and out to Virgin's network and the internet. You should always treat an ISP connection and kit as "dirty" and take your own security precautions.
And the sales folk at Virgin get paid more for a new line than an upgrade or renewal so most answers will be "new line". It won't solve the problem you apparently have though.
- *This may vary depending on how many devices you have, size of network etc.
Edited by skyebear on Wednesday 11th June 16:47
Durzel said:
With respect if you wanted to get involved in the equipment you ought to have bought a "wires only" setup, and provisioned your own router.
If it works - what difference does it make if it's "end of life"? Is there some vulnerability you believe the equipment is vulnerable to? If there is, that would be your angle for getting it replaced - but that's only likely to go anywhere if it's remotely exploitable without privileges.
As an aside I would be surprised if the router you've got is even running the current firmware. It may even have not been updated since it was installed. It's not something they could do without some downtime for you, and they will have no idea of what you're going to hang off of it once installed - you could be running a high availability setup that needs to be operational 24/7 for all they know, so unless they've spoken to you about planned downtime then it's likely never happened.
As aluded to above they're unlikely to mess with provisioned CPE unless there is an actual identified or reported issue impacting SLA. It costs engineer time at no strict benefit to them, and customers are generally oblivious (service is either up or not).
I don't want to get involved in the equipment, it's only become an issue because our Cyber Essentials assessor has highlighted it and said it needs to be replaced.If it works - what difference does it make if it's "end of life"? Is there some vulnerability you believe the equipment is vulnerable to? If there is, that would be your angle for getting it replaced - but that's only likely to go anywhere if it's remotely exploitable without privileges.
As an aside I would be surprised if the router you've got is even running the current firmware. It may even have not been updated since it was installed. It's not something they could do without some downtime for you, and they will have no idea of what you're going to hang off of it once installed - you could be running a high availability setup that needs to be operational 24/7 for all they know, so unless they've spoken to you about planned downtime then it's likely never happened.
As aluded to above they're unlikely to mess with provisioned CPE unless there is an actual identified or reported issue impacting SLA. It costs engineer time at no strict benefit to them, and customers are generally oblivious (service is either up or not).
Edited by Durzel on Wednesday 11th June 17:46
Griffith4ever said:
In all my years in IT management I never once gave a second glance to many of the beige plstic monstrocities that were NTEs. As long as the wire that came out of them gave me reliable internet access, I didn't care what they looked like or how old they were.
If your internet connection is unreliable due to the box then I understand, but if it works, I can see Virgin's stance - why spend on an unecessary box with no upside to them?
Agreed, that is my thinking too. It's only become an issue because our Cyber Essentials assessor has hightlighted it and said it needs to be replaced. The internet connection has been very reliable and I'm happy with it.If your internet connection is unreliable due to the box then I understand, but if it works, I can see Virgin's stance - why spend on an unecessary box with no upside to them?
Thanks for all the comments. Seems I've been a bit harsh on VM. As mentioned in my replies above, this has only become an issue because our Cyber Essentials assessor has highlighted it and is insisting the router be replaced. Do you think I'd have more chance of making progress if I argued with the CE assessor that the router is out of scope for CE? Considering I have no control over it and we're not using it to provide DHCP or any other services, it is there purely to terminate Virgin's line into our property.
Edited by toddler on Thursday 12th June 07:50
It sounds like the kit is CPE - consumer provided equipment.
Refer to it as such when you speak to them and escalate.
In the end, you should be terminating your network robustly against it but it could impact their ability to fulfil their SLA to you. If you are terminating your network their then the cyber risk isn't massive, your risk comes in as availability.
Refer to it as such when you speak to them and escalate.
In the end, you should be terminating your network robustly against it but it could impact their ability to fulfil their SLA to you. If you are terminating your network their then the cyber risk isn't massive, your risk comes in as availability.
toddler said:
I don't want to get involved in the equipment, it's only become an issue because our Cyber Essentials assessor has highlighted it and said it needs to be replaced.
Fair enough - I would say that your assessor is probably mistaken. Without knowing there was an actual remotely exploitable vulnerability that could compromise that equipment specifically, it's just speculative based on the "end of life" status.In my experience NTEs aren't configured to do much of any firewalling in any event, unless explicitly requested, since that could interfere with a customer's business.
b
hstewie sale it best - your responsibility ends at the demarc point(s).eeLee said:
It sounds like the kit is CPE - consumer provided equipment.
Refer to it as such when you speak to them and escalate.
In the end, you should be terminating your network robustly against it but it could impact their ability to fulfil their SLA to you. If you are terminating your network their then the cyber risk isn't massive, your risk comes in as availability.
I've Googled CPE, and I don't think it is. We didn't provide it and we don't own it. It was installed by VM and we have no access to it or control over it.Refer to it as such when you speak to them and escalate.
In the end, you should be terminating your network robustly against it but it could impact their ability to fulfil their SLA to you. If you are terminating your network their then the cyber risk isn't massive, your risk comes in as availability.
Gassing Station | Computers, Gadgets & Stuff | Top of Page | What's New | My Stuff