-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I personally would never allow a vendor to come into my network and have that kind of control, VPN or not. I would insist on phone support for the end users (if they can't do it with phone support and a desktop support person next to the machine then they don't know there product very well) and for the server end they could either come into your office or have walk you through it over the phone, at the most I would allow a terminal server session that I open a hole for only if needed, for as long as is needed, and only from there IP, and the session is shadowed by a support person to watch everything they do. I am an untrusting person by nature (as are most people in infosec in my opinion). If there software is so complicated that an educated, on-the-ball support staff can't pick up on it with a good look at it then they need to improve there services and software.
Just my opinion, and you know what they say about those <eg> Patrick S. Harper | CISSP MCSE [EMAIL PROTECTED] www.InternetSecurityGuru.com "Facts are stubborn things; and whatever may be our wishes, our inclination, or the dictates of our passions, they cannot alter the state of facts and evidence." --John Adams - -----Original Message----- From: tony tony [mailto:[EMAIL PROTECTED] Sent: Wednesday, March 05, 2003 7:17 PM To: [EMAIL PROTECTED] Subject: Vendor wants remote control of our Servers and Workstations Folks We have an outside vendor (StellarRAD) that wants to come into our network (via VPN) and use pcAnywhere to maintain his software on 5 production servers. Vendor wants to also use a product like Blue Ocean to remotely control our workstations to help users with software problems (ie software is complex)or for trouble shooting. Blue Ocean software allows bi-directional file transfers and chat between the vendor and work stations. I approve all tickets for firewall changes. I told our firewall and network people that this ticket just does not *smell right* and I will conduct some research on the security issues. As always, the vendor/network/firewall people are putting the heat on to me to approve the ticket ASAP. In your opinion what are all the security issues? What should I recommend as a more secure way for 1) the vendor to access the StellarRAD production servers remotely and 2) help our users? ===== Tony Torri CISSP, CISA, CDP, CIA Senior IS Security & Risk Manager 360.906.7893 (Work) Northern Telecom LLP __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/ -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPmeg53eEY0biJdlsEQLbTACeIr9l1tptCbJF/0w6JtpzZTW61nEAoJeH V8KOSriws7rrZzwxyluq+Gdc =cB3k -----END PGP SIGNATURE-----
