Security Basics mailing list archives
RE: Contractors on Company Networks - Network segregation
From: "Bill Lavalette" <billl () cyberbase7 com>
Date: Sun, 17 Nov 2002 09:27:02 -0600
Willie - We too were faced with this issue. Here are the things we did to somewhat lock them down.. first we determined what internal resources they needed I.E. printer access internet access etc etc.. using NT we brought them on the domain with timed access from x to y for instance if the contractor was to work for 8am to 5pm at 5:01 access was terminated. and internal resources were denied the other thing that is vital is that all contractors sign a NDA this will give you the legal leverage should something go wrong. that was for contractor needing internal access. for contractor needing only internet access a separate subnet was created on the firewall. this subnet had one dhcp server and a handful of IP's all access from this contractor net was denied to internal resources and all they were allowed to do is use the internet. Depending on your security policy one of the things that you might want to add if its not already in place is that the business owner of the project that requires the contractor needs to make all requests to the MIS department prior to the contractor arriving on site. within this request would be the criteria for the work to be done. Access time start - finish level of internal access project managers name and a director sign off. in the event that something bad goes wrong there is a chain of responsibility that if properly followed will save you many headaches when the finger pointing starts. This has worked fairly well for us I hope you can find some of it useful for your own situation... Regards, Bill Lavalette Chief Security Officer CyberBase7 Security Services METRO-SOC Email:billl () cyberbase7 com WWW:http://www.cyberbase7.com -----Original Message----- From: William Kupersanin [mailto:kuper () glue umd edu] Sent: Friday, November 15, 2002 10:34 AM To: security-basics () securityfocus com Subject: Contractors on Company Networks - Network segregation We have been struggling with the problem of how to safely allow contractors onto our network while keeping them from sensitive corporate resources. One of the models that we have been looking at is one seen in some hotels and internet cafes where a user is initially brought up on a network that provides access to only a dhcp server and a web server where that person can then register for additional access. After registration the user is then able to freely access Internet resources. I am wondering if anyone on the list has implemented, or thought about implementing, such a system and how it might be done. Some thoughts that occur to me is setting the network up behind a firewall that initially shuns all ip addresses until a provisioning process (triggered by the registration) causes the firewall to "unshun" the device for some specified period of time. Another thought that occurred to me is that a user could come up on a limited VLAN and then change their VLAN membership after registration. My only problem with this is that I don't know how to safely get the commands from the web server/provisioner to the switch in order to change the VLAN. If anyone has any ideas or comments, or can point me towards any resources that discuss this issue, I would greatly appreciate it. -- Willie
Current thread:
- TCP vs UDP II Pablo Gietz (Nov 13)
- Re: TCP vs UDP II Rooster (Nov 14)
- Re: TCP vs UDP II Steve Bremer (Nov 14)
- Contractors on Company Networks - Network segregation William Kupersanin (Nov 17)
- RE: Contractors on Company Networks - Network segregation Bill Lavalette (Nov 18)
- Contractors on Company Networks - Network segregation William Kupersanin (Nov 17)
- Re: TCP vs UDP II Alevizos Dimos (Nov 15)
- Re: TCP vs UDP II Donnie Tognazzini (Nov 18)
- <Possible follow-ups>
- RE: TCP vs UDP II Schouten, Diederik (Diederik) (Nov 14)
- RE: TCP vs UDP II Garbrecht, Frederick (Nov 14)
- RE: TCP vs UDP II charles lindsay (Nov 15)