Security Basics mailing list archives
Re: VPN Access for Consultants
From: Byron Sonne <blsonne () rogers com>
Date: Thu, 20 Nov 2003 21:25:54 -0500
I told them no, I do not want to create a tunnel between my network and theirs but I would allow them to plug their laptops into the dmz or outside the firewall so they can access their network. They proceeded to look at me like I had six heads and act like I was the onlysecurity admin that wouldn't allow this.
If it's your network, you made the right call 100%. They say their network is secure, but is it really?
I've been asked to do what you're being asked to do, but after I told them that I want to personally audit their network and servers, and want a full report of all security mechanisms, policies, diagrams and copies of standard system images for inspection, they thankfully relented. Until my management changed :(
If you can sell the risk assessment to your bosses, and make them understand the issues, then that REALLY, REALLY helps. Sadly though, make sure you have a paper trail and audit every second the consultants are plugged into your network.
If this doesn't work perhaps you can provide them with a locked down workstation that you've put together yourself and meets your requirements. Perhaps explaining it to them using the 'safe sex' paradigm (your network = your body) might also be of help; sometimes understanding the issue is the real problem... "You say you're not infected, but I'm connecting to every network you connect to" ;)
Too many consultants are just semi-tech-literate suits really, and don't know the true condition of their own infrastructure and it's risks. They don't have to care about your network or servers, they're there to sell services and make money, remember that... they'll play you as much as they can. If they still want to access their network from inside yours, then point them to the RJ-11 jack on the wall and offer to lend them a modem :)
--
For good, return good. For evil, return justice.
---------------------------------------------------------------------------
----------------------------------------------------------------------------
Current thread:
- VPN Access for Consultants Jennifer Fountain (Nov 20)
- RE: VPN Access for Consultants David Gillett (Nov 20)
- Re: VPN Access for Consultants Mike Bowler (Nov 20)
- Re: VPN Access for Consultants Steve (Nov 20)
- Re: VPN Access for Consultants lennons (Nov 21)
- Re: VPN Access for Consultants (Little Late) Gabriel Orozco (Nov 25)
- RE: VPN Access for Consultants (Little Late) David Gillett (Nov 25)
- Re: VPN Access for Consultants (Little Late) Jimi Thompson (Nov 26)
- Re: VPN Access for Consultants lennons (Nov 21)
- Re: VPN Access for Consultants Alessandro (Nov 20)
- Re: VPN Access for Consultants Byron Sonne (Nov 21)
- Re: VPN Access for Consultants crtech (Nov 23)
- <Possible follow-ups>
- VPN Access for Consultants Louis Cypher (Nov 21)