We have built an extensive backbone for interconnecting our nationwide and city POPs to our NOC in Dhaka. All AccessTEL POP have redundant connectivity for ensuring high level up-time. All nationwide intercity connectivity is established separate mobile operator network for primary and secondary routes.
All backbone within the same city is fully owned and managed by AccessTEL consisting of fiber optic, free space optics and high capacity radio technologies. The core backbone network has a carrier of carrier architecture which enables the provisioning of multiple types of last mile technology used for Broadband connectivity from any of the AccessTEL POPs.
High Capacity Radio
STM Connectivity between cities in Bangladesh over the mobile/NTTN operator TDM Network
Infrastructure Capacity & Coverage
AccessTEL has nationwide distribution to connect any host from anywhere in Bangladesh. AccessTEL has coverage in 64 districts of the country and is expanding. It has more than 706 network distribution points/point of presence (PoP) all over the country. The overall network infrastructure is maintained from 18 regional zonal locations with trained engineers and technicians and for Last mile connectivity we have additional resources of 382 regional partners.
The Backbone network is designed with Multi Ring Topology via different NTTN for redundancy.
All PoPs have dual backbone through different NTTNs and in various critical locations we have Radio backbone for triple redundancy. The Data network is designed so that each PoP is independent and not reliant on any regional or central location for transmission.
For added redundancy Clients may avail our higher level of service of connections from 2 separate PoP locations. Therefore, in the event a PoP is disconnected from our network or even if both our DC and DR sites are disconnected from our network at the same time or our central NOC is disconnected from our network, none of our Data customer’s service will be impacted.
DC and DR sites have redundancy via Multi Ring Topology.
Failure Downtime Effect
The design of our network ensures that downtime in any one location will not significantly affect the services in any other location.
For Security purposes we maintain 2 separate networks. One is for our Internet customers and a separate private network data network for our bank customers.
Every customer has an isolated IP broadcast domain. This ensures that problems arising in any one customer’s own network (i.e. customer server or laptop) can never interfere with any other customer’s network or our internal network.
Each and every customer is assigned a separate VLAN with /30 point to point IP address. This ensures that all customer network broadcasts are completely separate. Thus meaning, we never put 2 customers (either on the Internet or Private data network) on the same broadcast domain.
All our private data network customers are assigned exclusive Private IP blocks on our private data network which is separate from our internet network. This ensures that any issues in the global Internet networks never affects our private data network or data network customers.
For added security, we ensure that all last-mile connections are with customer premise routers and never directly to a customer LAN/Host.
Data and Internet Backbone Network Segregation Summary
We maintain separate networks for Internet and data customers
We have separate dedicated routers in our data center for Internet and Data networks
Data and Internet routing instances are separate and are isolated from each other.
In major cities we isolate and offload the Internet traffic via our local IIG aggregation points within that same city. This ensures the Internet traffic stays local and is not transmitted over our nationwide backbone. This practice enables the Internet and data traffic segmentation over our nationwide backbone.
Access control / ACL Summary
Our network elements have 3 layer authentication to ensure authorized access as follows:
Device access and service ports are customized in such a way that only authorized persons are aware of the specific ports.
Internet Route Authentication
Before we receive and advertise the client’s ASN IP prefix, we verify the subnet authenticity from APNIC by using Route Object (RO). Any other originating IP advertisements from the client peer are rejected by prefix-lists.
We also maintain RPKI information on all Route Object associated with our AS.
In addition we are maintaining attributes in IPv4 address (inetnum) and AS number (aut-num) objects for whois database lookup.
DPI (Deep Packet Inspection)
On our Internet network we use juniper based DPI for signature based traffic management & can rectify any traffic for the Internet
All our Internet content filtering is being done by our DPI.
All private data network customer links are under point to point VPN, thus content filtering is not applicable.
Firewalls are established in 3 separate layers for both our Internet and private data networks. Them being 1) our core routers, 2) our POP routers and 3) our customer premise routers.
For our Internet traffic flow, we maintain a DPI for signature based traffic management.
All our internal servers are isolated behind a hardware firewall. All our servers are running on LINUX/UNIX operating systems thus ensuring no possibilities of virus or malware infections.
Intrusion Prevention System (IPS)
Alerts are generated and preventive actions are taken from our internal network health monitoring resources with automated SMS/email and recording capabilities for retroactive analysis as follows:
Distributed Denial of Service (DDoS) Protection
Our monitoring resources identify and generate alerts for any DDoS attacks, with exact source and destination. This enables us to take quick preventive measures.
All our routers are fully capable of stopping DDoS attacks. We are able to blackhole source/destination IP/services that have been identified as DDoS attacks.
All our contents which require network level security/protection have been shifted to Google Cloud to ensure we have access to the most advanced security in the world.
All of our on-prem servers run on the LINUX/UNIX operating system and are completely isolated behind secure hard firewalls.
All of our network devices are routers and switches which run on Cisco, juniper and mikrotik OS which have device level firewall/ACL.
Our Client data like email, web and personal data are managed by Google Gsuite with world class Google security systems.
AccessTel official mail systems are hosted in Google systems to make our emails fully virus, spam and malware free.
All of our client devices and hosts are managed by the client’s own IT team for security and confidentiality purposes. Only our respective clients are responsible and have access to ensure security for their internal network.
As a service provider we always keep in touch with our clients so that they can implement and manage the latest network security systems for their own network & servers. We remain available to assist our esteemed client for any and all sort of network related security requirements.
Malware protection is enforced from where the content is located and from where it is being provided. ISP networks are designed primarily to provide high speed network transmission.
Anti-Advanced Persistent Threat (APT)
Real time analysis is conducted from all alerts generated via our monitoring resources described above and mitigation actions are taken where required by our 24/7 network monitoring team.
All the network elements are regularly updated with the latest OS and security patches to ensure protections against global security threats.
Global Threat Feed
We collect data from :
Network Audit Summary
Our in-house expert team performs Network audits periodically.
Due to the increase in global security threats we have entered into an agreement with FPT Information Systems international cyber security division (CMMI Level 5 & ISO 27001:2013, ASPICE LEVEL 3) to enhance our own capabilities and assist our clients in improving their network security using latest global best practices.
Incident Response Capability Summary
We have 20 different teams as follows to address all our response requirements as follows:
Security measures for Virus, malware, hacking from Customer
The following network design principles ensure security of our customers as follows:
Firewalls established in 3 separate layers (for both our Internet and private data networks 1- our core routers, 2- our POP routers and 3- our customer premise routers) enable the rectification of any cyber threat and unwanted activities at each level. As soon as we detect any unusual activity being generated from any one customer, we notify the client immediately to take appropriate action and if there are any delays in addressing this from the customer side then we disable their access to our network until they fix the problem.
All our routers mentioned above are fully capable of stopping IP/Ports. Common malicious ports are blocked & we can filter malicious ip/ports as per client requirement on demand.
Our network is constantly managed by expert network engineers, who have certification from leading vendors and institutes and regularly participate in different networking workshops and training. They attend different training within the country & abroad on a regular basis to keep themselves updated. Below is the list of the certifications and workshops :
We have entered into a collaboration Agreement with FPT Information System’s Cyber Security Division to be able to extend their expertise to our customers in Bangladesh. FPT is a leading multinational technology company who have access to the scarce resources globally for cyber security as follows:
Confidentiality and Secrecy Summary
We strongly maintain Non Disclosure Agreements with all of our staff, engineers and technicians.
All secrecy and confidentiality issues are incorporated within our employment agreement.
Network Operations Center (NOC) & Monitoring
As described above our monitoring and troubleshooting activities are conducted in several layers as follows:
NOTE:– Our monitoring system also generates automatic mail and SMS for generating alerts to the appropriate individuals
Latest threat intelligence?
Our technical team personnel are updated with global security threats & undergo security training / workshops on a regular basis.
Monitoring servers with automated SMS/email alert system and recording activities for retroactive studies: