Educause Security Discussion mailing list archives
Re: Vendor Network Access
From: Scott Link <linksg () SLU EDU>
Date: Mon, 20 Oct 2014 16:57:28 -0500
We get these. It's a joy. Here's a couple of approaches: 1) If they're accessing during business hours, have someone in app support team set up a web conference (WebEx, GoToMeeting, Fuze, etc.), connect to the server, and then share the desktop. This provides some oversight, but is not very flexible and ties up a staff member during support actions. 2) If the vendor has a set IP or range of IPs, allow them to RDP from those IPs into a jump system that only has access to the target systems--e.g., publish RDP via Citrix, VDI via Xen, etc. (Presuming you already have one of these systems in-hand for other remote users.) Allows for greater flexibility and puts the system behind a "pane of glass". Lock down RDP to prevent mounting drives and cut and paste--this will require coordination to get updates, etc. onto the box(es). 3) Does VPN allow for user-based access? In other words, allow them to VPN but the network they land on can only get to the target system. Greater flexibility and riskier. You don't know the provence of the systems they're connecting with--unless the VPN has security posture checking--, so there is risk of malware, etc. coming in. There is accountability, at least, by keying off username. In all approaches, the target system(s) should be in its/their own DMZ, as well. Restrict its access to other areas of the network, only allowing access to devices it must manage, etc. You're right to be concerned: http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/ On Mon, Oct 20, 2014 at 4:08 PM, John Kaftan <jkaftan () cayuga-cc edu> wrote:
We have a HVAC vendor wanting to get in so they can manage equipment remotely. I know this can be a huge security risk an in it could make me a huge “Target”. Does anyone have a Vendor Remote Access Policy that they would be willing to share? Thanks, John Kaftan Dean of Information Technology Cayuga Community College 315.294.8520 *It’s all about the students.*
-- Scott Link Manager, ITS Infrastructure Operations Security Saint Louis University www.slu.edu 314.977.9713
Current thread:
- Vendor Network Access John Kaftan (Oct 20)
- Re: Vendor Network Access Scott Link (Oct 20)
- Re: Vendor Network Access Dennis Bohn (Oct 21)
- Re: Vendor Network Access John Kaftan (Oct 21)