Release of the LACNOG-M3AAWG Joint Best Current

Operational Practices (BCOP) LucimaraDesiderá

LAC-AAWGchair

Official release on 08 May 2019 LACNOGandM3AAWGjointBCOP

MinimumSecurityRequirementsforCustomerPremisesEquipment(CPE)Acquisition.

https://www.lacnog.net/docs/lac-bcop-1

https://www.m3aawg.org/CPESecurityBP

Comingsoon–Translationto:•  SpanishandPortuguese

•  JapaneseandKorean(JP-AAWG)

Official release on 08 May 2019

Why care about CPE Security?

Businessandoperationalimpacts•  Compromisingoftheprovider'snetwork

-  Someoneelseisusingyourresources• Degradationorunavailabilityofservices

-  Youcanloseclients•  Technicalsupportandrepairwork

-  Youarelosingmoney•  ProtectthereputationofyourISP

-  Customers,partnersandblacklists

Problems the BCOP addresses

• Standardcredentialsforalargenumberofdevices• Credentialsthatcannotbechanged(hard-coded)• Useofobsoleteandinsecureprotocolsandalgorithms

• Undocumentedaccesses(backdoors)• Lackofautomatedandsecureupdatemechanismstoaddresssecurityissues

• Unnecessaryand/orinsecureservicesenabledbydefault

• Servicesthatcannotbedisabled•  Insecureremotemanagement

What is inside? Areferencechecklistforhardwaredecisions→  Let’saskvendorsforbetterproductswhileimprovingournetworks!😀