AccessTEL - The Broadband Company > ISP > Network Infrastructure, Security & Monitoring

Our Network

We have built an extensive backbone for interconnecting our nationwide and city POPs to our NOC in Dhaka. All AccessTEL POP have redundant connectivity for ensuring high level up-time. All nationwide intercity connectivity is established separate mobile operator network for primary and secondary routes.

All backbone within the same city is fully owned and managed by AccessTEL consisting of fiber optic, free space optics and high capacity radio technologies. The core backbone network has a carrier of carrier architecture which enables the provisioning of multiple types of last mile technology used for Broadband connectivity from any of the AccessTEL POPs.

Fiber Optics
High Capacity Radio
STM Connectivity between cities in Bangladesh over the mobile/NTTN operator TDM Network

Infrastructure & Availability

Infrastructure Capacity & Coverage

AccessTEL has nationwide distribution to connect any host from anywhere in Bangladesh. AccessTEL has coverage in 64 districts of the country and is expanding. It has more than 706 network distribution points/point of presence (PoP) all over the country. The overall network infrastructure is maintained from 18 regional zonal locations with trained engineers and technicians and for Last mile connectivity we have additional resources of 382 regional partners.

Redundancy

The Backbone network is designed with Multi Ring Topology via different NTTN for redundancy.

All PoPs have dual backbone through different NTTNs and in various critical locations we have Radio backbone for triple redundancy. The Data network is designed so that each PoP is independent and not reliant on any regional or central location for transmission.

For added redundancy Clients may avail our higher level of service of connections from 2 separate PoP locations. Therefore, in the event a PoP is disconnected from our network or even if both our DC and DR sites are disconnected from our network at the same time or our central NOC is disconnected from our network, none of our Data customer’s service will be impacted.

DC and DR sites have redundancy via Multi Ring Topology.

Failure Downtime Effect

The design of our network ensures that downtime in any one location will not significantly affect the services in any other location.

Security

Built-in Security

For Security purposes we maintain 2 separate networks.  One is for our Internet customers and a separate private network data network for our bank customers.

Every customer has an isolated IP broadcast domain.  This ensures that problems arising in any one customer’s own network (i.e. customer server or laptop) can never interfere with any other customer’s network or our internal network.

Each and every customer is assigned a separate VLAN with /30 point to point IP address.  This ensures that all customer network broadcasts are completely separate.  Thus meaning, we never put 2 customers (either on the Internet or Private data network) on the same broadcast domain.

All our private data network customers are assigned exclusive Private IP blocks on our private data network which is separate from our internet network.  This ensures that any issues in the global Internet networks never affects our private data network or data network customers.

For added security, we ensure that all last-mile connections are with customer premise routers and never directly to a customer LAN/Host.

Data and Internet Backbone Network Segregation Summary

We maintain separate networks for Internet and data customers

We have  separate dedicated routers in our data center for Internet and Data networks

Data and Internet routing instances are separate and are isolated from each other.

In major cities we isolate and offload the Internet traffic via our local IIG aggregation points within that same city.  This ensures the Internet traffic stays local and is not transmitted over our nationwide backbone.  This practice enables the Internet and data traffic segmentation over our nationwide backbone.

Access control / ACL Summary

Our network elements have 3 layer authentication to ensure authorized access as follows:

  • First the device users must be within the allowed network, controlled via the device ACL.
  • Secondly users are able to access only via authorized VPN connection.
  • Finally device users are only authorized to access the device via central radius server authentication.

Device access and service ports are customized in such a way that only authorized persons are aware of the specific ports.

Internet Route Authentication

Before we receive and advertise the client’s ASN IP prefix, we verify the subnet authenticity from APNIC by using Route Object (RO). Any other originating IP advertisements from the client peer are rejected by prefix-lists.

We also maintain RPKI information on all Route Object associated with our AS.

In addition we are maintaining attributes in IPv4 address (inetnum) and AS number (aut-num) objects for whois database lookup.

DPI (Deep Packet Inspection)

On our Internet network we use juniper based DPI for signature based traffic management & can rectify any traffic for the Internet

Content Filtering

All our Internet content filtering is being done by our DPI.

All private data network customer links are under point to point VPN, thus content filtering is not applicable.

Firewall

Firewalls are established in 3 separate layers for both our Internet and private data networks.  Them being 1) our core routers, 2) our POP routers and 3) our customer premise routers. 

For our Internet traffic flow, we maintain a DPI for signature based traffic management.

All our internal servers are isolated behind a hardware firewall.  All our servers are running on LINUX/UNIX operating systems thus ensuring no possibilities of virus or malware infections.

Intrusion Prevention System (IPS)

Alerts are generated and preventive actions are taken from our internal network health monitoring resources with automated SMS/email and recording capabilities for retroactive analysis as follows:

  • DUDE – Real time network device and traffic analyzer
  • Netflow – End to end Traffic flow & Service port analyzer
  • NFSEN – Service port based analyzer
  • SPLUNK – Network device log analyzer
  • CACTI – Network bandwidth analyzer
  • OBSERVIUM – Device analyzer
  • NAGIOS – Client uptime log
  • Customer Log Monitor – customer activities log analyzer
  • Additional alerts are generated from the below external resources:
  • APNIC IP Health Dashboard
  • BGD e-GOV CIRT alert correspondence
  • Real Time Block List – to monitor blacklisted IP and domains for mail servers

Distributed Denial of Service (DDoS) Protection

Our monitoring resources identify and generate alerts for any DDoS attacks, with exact source and destination.  This enables us to take quick preventive measures.

All our routers are fully capable of stopping DDoS attacks. We are able to blackhole source/destination IP/services that have been identified as DDoS attacks.

Malware Protection

All our contents which require network level security/protection have been shifted to Google Cloud to ensure we have access to the most advanced security in the world.  

All of our on-prem servers run on the LINUX/UNIX operating system and are completely isolated behind secure hard firewalls.

All of our network devices are routers and switches which run on Cisco, juniper and mikrotik OS which have device level firewall/ACL.

Our Client data like email, web and personal data are managed by Google Gsuite with world class Google security systems.

AccessTel official mail systems are hosted in Google systems to make our emails fully virus, spam and malware free.

All of our client devices and hosts are managed by the client’s own IT team for security and confidentiality purposes. Only our respective clients are responsible and have access to ensure security for their internal network.

As a service provider we always keep in touch with our clients so that they can implement and manage the latest network security systems for their own network & servers. We remain available to assist our esteemed client for any and all sort of network related security requirements.

Malware protection is enforced from where the content is located and from where it is being provided.  ISP networks are designed primarily to provide high speed network transmission.

Anti-Advanced Persistent Threat (APT)

Real time analysis is conducted from all alerts generated via our monitoring resources described above and mitigation actions are taken where required by our 24/7 network monitoring team.

All the network elements are regularly updated with the latest OS and security patches to ensure protections against global security threats.

Global Threat Feed

We collect data from :

  • APNIC
  • BGD e-GOV CIRT
  • Team Cymru
  • MXTOOLBOX
  • SPAMCOP
  • Sorbs

Network Audit Summary

Our in-house expert team performs Network audits periodically.

Due to the increase in global security threats we have entered into an agreement with FPT Information Systems international cyber security division (CMMI Level 5 & ISO 27001:2013, ASPICE LEVEL 3) to enhance our own capabilities and assist our clients in improving their network security using latest global best practices.

Incident Response Capability Summary

We have 20 different teams as follows to address all our response requirements as follows:

  • Central 24/7 network monitoring team- after receiving alerts performs standard troubleshooting protocols and then, if required, escalates to the appropriate department for further required activities
  • 18 Nationwide zonal teams with networking and routing capabilities to address all zonal network distribution points to client premise response requirements including onsite technical support.
  • Central Core team with advanced networking, routing and security capabilities to address all incidents that are escalated from the 18 nationwide zonal teams.

Security measures for Virus, malware, hacking from Customer

The following network design principles ensure security of our customers as follows:

  • Internet network and Data network are separate
  • Each customer regardless of Internet or data customer has an isolated IP broadcast domain
  • Each and every customer is assigned a separate VLAN with /30 point to point IP address
  • We ensure connectivity to customer premise routers and never directly to any of the customer servers or hosts
  • Due to customer privacy reasons all our Internet corporate customers and bank data customers manage their own internal networks i.e. customer premise routers, LAN, servers and computer.  Therefore, we do not have access to the customer internal network and thus customers themselves need to ensure that they are taking the appropriate measures of the recommended processes to keep their devices virus and malware free through doing regular updates of virus and malware protection tools.  If there is any virus or malware that may be infected in the customer network, our network design ensures that the customer end problem never affects our internal network and thus any other customers that are connected to our network. Moreover, for enhanced security and protection, all customers are strongly recommended to use VPN to establish transport level security between their offices/branches, as point-to-point tunnels will always keep their traffic private and free from any unwanted access from the network service provider.

Firewalls established in 3 separate layers (for both our Internet and private data networks 1- our core routers, 2- our POP routers and 3- our customer premise routers) enable the rectification of any cyber threat and unwanted activities at each level. As soon as we detect any unusual activity being generated from any one customer, we notify the client immediately to take appropriate action and if there are any delays in addressing this from the customer side then we disable their access to our network until they fix the problem.

All our routers mentioned above are fully capable of stopping IP/Ports. Common malicious ports are blocked & we can filter malicious ip/ports as per client requirement on demand.

Certifications

Our network is constantly managed by expert network engineers, who have certification from leading vendors and institutes and regularly participate in different networking workshops and training. They attend different training within the country & abroad on a regular basis to keep themselves updated. Below is the list of the certifications and workshops :

  • Cisco Certified network associate (CCNA)
  • Juniper Networks Certified Associate, Junos (JNCIA)
  • Red Hat Certified Engineer (RHCE)
  • CompTIA Linux +
  • Fortinet Network Security Associate (NSE 1 & 2)
  • ePMP Certified Installation Expert
  • CnPilot Certified Installation Expert
  • MikroTik Certified Network Associate (MTCNA)
  • MikroTik Certified Routing Engineer (MTCRE)
  • Oracle Database 11g administrator certified professional
  • Oracle Database 11g administrator certified associate
  • Microsoft Certified Solutions Associate
  • Microsoft Certified professional
  • Huawei Certified ICT Professional (HCIP)
  • BGP & BGP Multihoming routing, ISPAB
  • ISP/NSP Security training by SANOG
  • Infrastructure Security & Multicast training by SANOG
  • Information Security workshop by Bangladesh Computer Emergency Response Team (BD CERT)
  • Network Security Management and Cyber Security training by  ISPAB & ICT Business Promotion Council
  • Google Cloud Certified – G Suite
  • GCP fundamentals certification: core infrastructure , Big data & machine Learning.
  • Cloud OnAir: Remote Working with G Suite.
  • SAP Certified Application Associate

We have entered into a collaboration Agreement with FPT Information System’s Cyber Security Division to be able to extend their expertise to our customers in Bangladesh.  FPT is a leading multinational technology company who have access to the scarce resources globally for cyber security as follows:

  • OSCP-Offensive Security Certified Professional
  • OSCE-Offensive Security Certified Expert
  • OSWE-Offensive Security Web Expert
  • CISSP-Certified Information System Security Professional
  • CISM-Certified Information Security Manager
  • CCIE Security-Cisco Certified Internetwork Expert, Security
  • CISA-Certified Information System Auditor
  • PCI QSA-PCI DSS Qualified Security Assessor
  • GCDA-GIAC Certified Detection Analyst

Confidentiality and Secrecy Summary

We strongly maintain Non Disclosure Agreements with all of our staff, engineers and technicians.

All secrecy and confidentiality issues are incorporated within our employment agreement.

Monitoring/Traffic

Network Operations Center (NOC) & Monitoring

As described above our monitoring and troubleshooting activities are conducted in several layers as follows:

  • We have 20 different teams as follows to address all our response requirements as follows:
    • Central 24/7 network monitoring team- after receiving alerts from our real-time live monitoring tools, they perform standard troubleshooting protocols and then inform the appropriate department for further required action(s)
    • 18 Nationwide zonal teams with networking and routing capabilities to address all distribution network and last mile response requirements.  Some incidences are troubleshooted remotely while others may be addressed via onsite technical personnel from our 18 regional zones and 382 nationwide technical resource partners.
    • Central Core team with advanced networking, routing and security capabilities address all incidents that are escalated from the 18 nationwide zonal teams.

NOTE:– Our monitoring system also generates automatic mail and SMS for generating alerts to the appropriate individuals

Latest threat intelligence?

Our technical team personnel are updated with global security threats & undergo security training / workshops on a regular basis. 

Monitoring Tools

Monitoring servers with automated SMS/email alert system and recording activities for retroactive studies:

  • Observium
  • NFSEN
  • Netflow
  • Cacti
  • Nagios
  • Syslog/Splunk