Re: VPN Access for Consultants

[Alessandro <a.bottonelli () infinito it>]

On Thursday 20 November 2003 00:28, Jennifer Fountain wrote:
> They
> proceeded to look at me like I had six heads and act like I was the only
> security admin that wouldn't allow this.  What is the general consensus
> on this type of activity?  What policies do you have implemented?  Do
> you allow it if the remote network was confirmed to be secure?
Oh well, it much depends on what kind of data / information your external 
consultants work on. Does your policy have a classification criteria, if so 
what does it say about, for the sake of example, the remote access of 
confidential information? Do not forget, then, that once they unplug their 
laptops they may have recorded YOUR data on their hard disks and can roam 
happily on planes, trains and anywhere with YOUR data (and laptops are easy 
to forget somewhere or to be stolen anyway).

I would be personally more concerned with administrative countermeasures than 
trying to technically assess their networks security (for example there may 
be a clause in their contracts about (not) storing your data locally or about 
what kind of measures you ask them to take if they do).

Besides, if the tunnel is crypted (efficiently) end-to-end (or laptop to your 
border-router) what do you care what networks they traverse in the process?

-- 
Alessandro Bottonelli
CISSP, BS7799 Lead Auditor
www.axis-net.it

---------------------------------------------------------------------------
----------------------------------------------------------------------------