North American Network Operators Group
Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Provider-based DDoS Protection Services

  • From: John Neiberger
  • Date: Thu Jul 28 22:56:17 2005
  • Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=WbUUmS1BF4poQAjo7aqxlU2hoH+2yA3cFlf/RkoDwVHe3gClKopmE59Zqc7mNtg+ExSumBF6j0OYainE7v50/gOf1ZrocwOdFQJMGsHiUXzGr5XEkvApxEwsn1jiQKUrWnF5M4H765UX0JZed8MrZTI9QSVmwmhpfCsmBIa/PuI=
Ferg,

That's an understandable attitude given the nature of your networks.
In our case, I'm just talking about two or three T1s that provide
Internet connectivity to our website for our customers.

I appreciate your input, though. I will accept all advice and input if
it gets me closer to a better understanding of the realities of topic
at hand and if it helps weed out some of the marketing fluff that's
being heaped upon me by salespeople. :)

Thanks!
John

On 7/28/05, Fergie (Paul Ferguson) <[email protected]> wrote:
> John,
> 
> Contrary to popular belief, I (not alone, of course) run,
> manage, defend, and continually architect very large
> networks. Very large.  On none of them do we outsource
> the protection of them -- because, in cases where we
> have extended trust in the past, we have been screwed
> (PC translation: disappointed).
> 
> So we protect ourselves.
> 
> It's been a business decision for my customers' networks
> (ie. their network) not to outsource security, or rely on
> an upstreampipedream, for protection of any sort.
> 
> Thus, I personally can't provide any insight here. Sorry.
> 
> - ferg
> 
> -- John Neiberger <[email protected]> wrote:
> 
> In this case it's a business decision. I understand that we could
> simply weigh the costs of an attack with the costs of preemptively
> detecting and mitigating an attack, but in our case we won't lose hard
> dollars like an ecommerce site would. We have different reasons for
> wanting to have some protection in place before we need it. I look at
> it like it's an insurance policy, but I don't want to be ripped off.
> 
> It's like I'm getting estimates on building a protective dike around
> my house. One contractor tells me that the floodwaters commonly reach
> six feet so I should pay him $12,000 to build a wall at least that
> high. Another contractor is telling me that he'll build a six-foot
> wall for $6,000. Another contractor is telling me that the floodwaters
> most likely won't go over two feet and he suggests that I pay him
> $1,000 for a three-foot-high wall.
> 
> If it turns out that we really do need a six-foot-high wall then so be
> it. I'm not the one who pays the bills so it isn't really my decision.
> I just want to make sure I have a clearer picture of reality before I
> make any suggestions to my boss.
> 
> Thanks again,
> John
> 
> On 7/28/05, Fergie (Paul Ferguson) <[email protected]> wrote:
> 
> > I should've asked the most important question first -- is this
> > a technical decision, or a business decision? I mean, forgive me
> > for pointing out the obvious, but you made an issue of cost in your
> > original post...
> >
> > - ferg
> >
> 
> --
> "Fergie", a.k.a. Paul Ferguson
>  Engineering Architecture for the Internet
>  [email protected] or [email protected]
>  ferg's tech blog: http://fergdawg.blogspot.com/
> 
>