Routing and traffic security requirements Survey

MANRS+ is a concept of a second, elevated tier of MANRS participation for connectivity providers that comply with stringent traffic security and auditing requirements.

This survey seeks to understand how organizations that contract connectivity providers for Internet connectivity think about securing their traffic flows as it transits the Internet. Your feedback will be used to evaluate possible future requirements for connectivity providers, as part of a ongoing work in the MANRS+ working group, related to how they secure their customers’ Internet traffic.

Time to complete the survey: 5-10 min.

The answers to the survey should reflect the perspective of an organization that contracts a network provider for Internet connectivity: An Enterprise (business, university), a Cloud provider or an access ISP recognizes threats coming from being connected to the Internet and looks for a MANRS+ connectivity provider (IP Transit provider) for transit that has sufficient controls and services in place to mitigate these risks. An example use case is when an enterprise is looking for a new connectivity provider, they would put in their request for proposal (RFP) a requirement for being “MANRS+ certified” and that would ensure the bidding provider has implemented best practice routing security capabilities.

1.What is the size of your organization?

Small (1-100 employees)

Mid-sized (101-1000 employees)

Large (more than 1000 employees)

3.How many Internet connectivity providers do you have globally (if you have multiple points of presence please count them all)?

1

2

>2

5.Do you have security compliance requirements required by law or business practice?

PCI DSS

ISO27001

NIST SP 800-53

Other (please specify)

6.Is management of risks related to your Internet connectivity included in your security framework/Information Security Management System (ISMS)?

Yes, they are managed as part of supply chain security activities

We do have a formal framework, but Internet connectivity risks are not managed as a part of it

We do not use a formal framework, but have processes and controls related to routing and traffic security

We do not have a systematic approach to managing these risks

In the following section, we’d like feedback on what traffic security features you value from your connectivity provider. Please evaluate it from the perspective of whether you are willing to pay a premium for these features.

7.Routing Security. A connectivity provider maintains the capability to detect and mitigate the risk that a relying party’s traffic will be hijacked or detoured on networks they control as a result of a mistake or an attack. An example of such capability is filtering incorrect routing announcements or monitoring and mitigating routing incidents related to enterprise networks.

8.DDoS attack prevention. A connectivity provider maintains detection and mitigating capabilities to reduce the risk of a volumetric DDoS attack. Examples are detection and blocking of attack traffic, and coordination.

9.Anti-spoofing protection. A connectivity provider prevents traffic from their direct customers or peers with spoofed source IP addresses.

Not important

Nice to have

Fairly important

Has high business value for us

Essential, we require this in contracts

10.Maintaining routing information. A connectivity provider has accessible, complete, and up-to-date documentation of the intended routing announcements and other information on its routing policy that are essential for detecting and mitigating routing incidents on a global scale.

11.Operational communication and coordination. A connectivity provider maintains a responsive NOC/helpdesk capable of coordinating and resolving traffic and routing security issues such as a large-scale DDoS attack.

Not important

Nice to have

Fairly important

Has high business value for us

Essential, we require this in contracts

12.Supply chain transparency. A connectivity provider offers the feature “transparency of your communication supply chain” to its clients. This means that it provides to its customers additional information about itself and its upstream connectivity providers, such as administration settings (e.g., legal ownership, third parties used, and applicable data laws) and security properties (e.g., MANRS+ certification).

13.Security services. A connectivity provider offers security services helping the enterprise to maintain strong security posture. Such services may include performing router security settings (e.g. based on CIS benchmarks), routing incident monitoring and reporting.

14.Are there other high business value or essential security requirements?

15.How do you verify that security requirements are met by the connectivity provider?

We do not verify

We rely on connectivity provider's explanation

We require formal certification

We review feedback from other customers

We collect evidence using audit tools (please specify)

None of the above

17.What is your role in the organization?

Technology and Engineering

Business

Legal and compliance

18.Please provide any thoughts or comments you might have that might advance the goals of this survey.

19.Please provide your details if you’re ok with us following up with you.

Name

Company

Email Address

This section is for the piloting of the survey. Its objective is to collect feedback about the survey itself

20.How long did it take to fill out the survey?

Less than 5 minutes

5 - 15 minutes

More than 15 minutes

21.Were there any unclear questions? Please provide question numbers and your feedback

22.Are there questions that would be useful to ask, given the objective of the survey, but are missing?

23.Please provide any other feedback regarding the survey you'd like to share

Privacy policy