+1 on everything ASB said. In particular, I'd definitely want some ingress/egress control over that VPN tunnel. You're potentially letting anything on their network in to your network (like malware or corporate espionage), and anything on your network out to their network (like your private data).
If they insist on doing it this way exactly, I'd use a stand-alone computer, segregated from the corporate network. (Or a VM the same way.) I would not trust their VPN policy (which they control and can change/screw up) to protect my corporate assets. On Mon, Feb 13, 2012 at 10:24 AM, Andrew S. Baker <[email protected]> wrote: > Here's how I would proceed: > > - Immediately send them a note thanking them for their new found > dedication to security, but indicating that it will take some time to > comply, as you have change management procedures that you need to > implement. > > - Express your concerns about the nature of the VPN software, and > request that they provide you with information about the tunnel. (Point > out to them that if two of your vendors were to make this sort of request, > you'd have all sorts of problems) > > - Indicate that you would greatly prefer a site-to-site VPN that you > can control at your border devices to ensure that *your* network is also > protected. Even better if this is already in your corporate security > policy. > > - Get your management to talk to their management and indicate the > unreasonableness of the request both in principle and from a timing > perspective. > > > - Let us know who the vendor/partner is, so we can duly avoid them, or > ensure that our contracts with them mitigate operational risk. > > > > *>>I know this must happen elsewhere with B2B stuff, is there a model I > should be following?* > > I've had other B2B vendors try it, and in 90% of the cases, I've > successfully done the above. In the other 10%, I've setup a single TS > machine (or workstation, depending on volume) and connected *that* to the > partner/vendor network instead. > > Virtualization will be helpful here, as will your management team. > Having a good security policy and change management process are a plus here > as well. They should be able to understand that, if they're a big company. > > Oh, and you're not interested in dealing with their IT team primarily -- > speak to someone closer to the money. > > > * * > > *ASB* *http://XeeMe.com/AndrewBaker* *Harnessing the Advantages of > Technology for the SMB market… > > * > > > > On Mon, Feb 13, 2012 at 9:32 AM, Sam Cayze <[email protected]> wrote: > >> Concerned about this, not sure how to proceed, and this is a first for me. >> >> A long time customer has suddenly required that we access their B2B >> portal via installing their VPN software, essentially connecting to their >> network in order to access the portal. (We in the past, and going forward, >> we utilize heavily). >> >> My concerns: >> They gave us 1 day notice. (Hardly, more like 12 hours). They emailed >> us Sunday and expected that I have the vpn clients installed on all PCs by >> the AM. >> I have no idea of their security on the tunnel, and what lies on their >> network that could seep onto our machines. >> Their tunnelling policy is not to my liking... It hijacks all our >> connections, so that our users would not be able to print, access email, >> file servers, our gateway, etc. (Which might be safer... the networks >> essentially can't talk to each other.) So there would be no way our users >> could get anything done with the connection active. >> By their short notice and poor planning, the poor documentation, and the >> badly configured installer they gave us, I just don't have much trust in >> the system and their security practices. >> >> I know this must happen elsewhere with B2B stuff, is there a model I >> should be following? Questions I should be asking? Agreements and >> security policies to be signed? I would sure think so. >> >> In the mean time, I'm going to set up a dumb-kiosk on an isolated network >> with the VPN software so my users can at least walk up to it and access >> what they need so our projects keep moving. I'm going to try and address >> my concerns with them, but from what I hear, their IT dept is quite hard to >> work with, if you can even get anyone to help. (It's a very large company). >> >> Any thoughts and suggestions would be highly appreciated. TIA. >> >> Sam >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
