Inline....
- -
Robert P. MacDonald, Network Engineer
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> <[EMAIL PROTECTED]> 6/1/00 9:49:08 PM >>>
>
>Gurus,
>
>We have an issue at the moment where several remote software vendors are going
>to insist on using a PCAnywhere like program to maintain machines on our
>network.
>
>Some vendors are on the other side of the world, others are just in another
>state.
Doesn't matter. Network distances don't correlate to 'human' distances.
>Our initial reaction is to say no (and we are strongly discouraging this).
That's a wonderful thing. Who's 'we'(IS or top mgt)? What does your
policy say?
>However, when the crunch comes (ie a mission critical system needs remote
>support), we need a solution to be in place.
Absolutely. Business is business. Somebody has to make the money to pay for
this technology ;-)
>Bearing in mind, once they have PCAnywhere access to a machine that whole subnet
>is vulnerable, someone suggested that we isolate each machine on a separate nic
>of a firewall.
If you isolate them on their own networks, then you will surely put a burden on your
firewall and clients, since all of your internal traffic must now pass the firewall
too. What happens
when you now have 5, 10, or many more vendors? Will you be adding all of these NIC's
or firewalls to your environment?
I have heard others caution many times before. Be careful about using technology to
solve a non-technical problem(is this one of those??). You need to evaluate what's
important and what needs to be secured. Do you have one or just a few systems
that need protecting? If so, put these off on there own network. Don't build a barrier
around the city, to protect the bank.
How does the vendor support you now? Do they dial in? Do they show up to work
on your systems? How much do you trust them?
You could spend a lot of time and/or money making sure you verify & watch their
every move. Maybe you just need to trust them?(I'm going to get beat up on this
one. Where's that fire extinguisher??)
What I'm trying to say is, stand back, look at the situation, evaluate and then
balance the technology & business with common sense. Most of us want a very
secure environment. I know that I do.
If your company decides(via that policy you put so much time into); nope, we can't
risk opening up our internet to support and our vendors must show up to support
us. Cool.
But if the company decides, not a problem. We'll let them through, but
make an attempt to verify who they are, use encryption(security of data via trusted
endpoints), and log what-ever we can. That's cool too.
Do you have a change management process(recommended)? Make your vendor
accountable to use it. Make them tell you in detail ahead of time what they're going
to do, how they will do it, how they will back out if the change, etc. Also, make them
do a post support report. This way they document for you, all of the changes and
results.
There. Have I successfully avoided your question? :)
Robert
>What does everyone else do (we are only talking about a few servers where there
>is no local or inhouse support).
>
>regards
>
>Mike McDermid
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
