[walrus01]

Senior network engineer for an ISP here, when you have a network that spans a number of states and provinces, it inevitably develops a huge attack surface. Designing security features into the network is part of modern network architecture, the two are inseparable these days. There's obvious concerns about endpoint security (individual servers, VMs, etc) and then different considerations for network security of routing/switching/WDM/millimeter wave equipment at POPs.

A lot of equipment used by ISPs is barely protected at all, from what I've seen of other peoples' networks. There's a lot of things out there like temperature monitoring devices, UPSes, rectifiers, HVAC controls, security card readers/relay controls, generator monitoring control systems that run ancient shitty software, which the vendor will never patch. People spend a lot of time isolating these things in special management networks because the cost of replacing a big rectifier system at an older POP cannot be justified.

I would say that for somebody that wants to get into a dedicated security role, without having specifically studied netsec stuff in detail, the best background to have is a mixed balance of first/second-tier NOC, network engineering, and general Linux/BSD sysadmin knowledge.

[jfolkins]

As someone who used to be a senior engineer for an ISP, shout-out to all the STBs with hard coded admin creds :-)

[walrus01]

Shout-out to everyone who's ever worked for a large to mid-size ISP, that has acquired and eaten/digested a smaller ISP which has already existed for 12, 15 or 20 years... So much weird legacy gear in weird locations, doing weird things. So many SDH circuits and OC-whatever transport systems.

[jfolkins]

HAHA Are you me? This is sounds creepily familiar..

[walrus01]

Seems to be an endemic problem, maybe if zayo buys everyone else noone will experience it again.