Great Circle Associates Firewalls
(February 1997) 		 
Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]
Subject: Re: vendor access ??
From: Bob Beck <beck @ obtuse . com>
Date: Fri, 7 Feb 1997 19:30:48 -0700 (MST)
To: white @ Arco . COM (Gary White)
Cc: firewalls @ GreatCircle . COM
In-reply-to: <3 . 0 . 32 . 19970207173734 . 00697a48 @ users . arco . com> from "Gary White" at Feb 7, 97 05:37:36 pm 
> 
> Hi-
> Does anybody have any general suggestions about the problem of allowing
> a software vendor access to a server machine running their special software,
> which is typically in the center of a company's network... so they can 
> perform maintenance/fixes?  In such a case I typically would not have 
> a problem when they come on site to sit with them and let them work
> away, but often the requirement is to do it remotely somehow.
> 
> Seems a careful setup would imply a special restricted route from whatever
> modem or inbound connection is involved, to a machine quarantined from 
> the rest of one's network... with the "quarantine" meaning open 
> access into the machine, but very restricted outbound...
> 

	First I'd make sure the legal department knew
the score so that your bottom feeders and their bottom feeders
have some sort of arrangement about what their responsabilities
are when they're on your system, and what yours are. 

	Considering they are probably going to need high level access to 
play with their software on your server there may only be
so much you can do. It depends on what your concerns are. 

	If I could get away with I'd run their whole package chrooted
into it's own little hole, along with their remote access
mechanism. That way they come in and fiddle, but don't mess with stuff
outside. Give them some kind of remote access device such as a
SecureNet Keycard so you can be relatively sure it's them, and a means
to come in with it, either through the firewall in an appropriate
manner, or from a modem on the box.

	Of course, you might not be able to do that, in which case I'd
settle for the card, and keeping a good eye on them. If they need
unrestricted high level access to one of your servers it's almost
certain they'll be able to screw you good if they either wanted to or
had a tragic episode of brain-finger disconnect. You are going to have
to trust them to some extent. If you can't do that convince the boss
they have to come on site.

	-Bob

--
Bob Beck					 Obtuse Systems Corporation
beck @
 obtuse .
 com					 http://www.obtuse.com/	
True Evil hides its real intentions in its street address. Search and you
shall find it, and the truth shall set you free.
References:
Indexed By Date Previous: Re: MS Proxy server ??
From: "Earl Meck" <earme @ ausc-nt1 . aus . swr . irs . gov>
Next: Re: TIS: plug-to UDP
From: pelicans @ mindspring . com (BeachCruiser)
Indexed By Thread Previous: vendor access ??
From: Gary White <white @ Arco . COM>
Next: Re: vendor access ??
From: dharris @ kcp . com
Google
 
Search Internet Search www.greatcircle.com