RE: Contractors on Company Networks - Network segregation

["Bill Lavalette" <billl () cyberbase7 com>]

Willie -

We too were faced with this issue. Here are the things we did to somewhat
lock them down..

first we determined what internal resources they needed I.E. printer access
internet access etc etc..

using NT we brought them on the domain with timed access from x to y for
instance if the contractor was to work for 8am to 5pm at 5:01 access was
terminated. and internal resources were denied

the other thing that is vital is that all contractors sign a NDA this will
give you the legal leverage should something go wrong.

that was for contractor needing internal access.

for contractor needing only internet access a separate subnet was created on
the firewall. this subnet had one dhcp server and a handful of IP's all
access from this contractor net was denied to internal resources and all
they were allowed to do is use the internet.

Depending on your security policy one of the things that you might want to
add if its not already in place is that the business owner of the project
that requires the contractor needs to make all requests to the MIS
department prior to the contractor arriving on site. within this request
would be the criteria for the work to be done.

Access time start - finish
level of internal access
project managers name
and a director sign off.

in the event that something bad goes wrong there is a chain of
responsibility that if properly followed will save you many headaches when
the finger pointing starts.


This has worked fairly well for us I hope you can find some of it useful for
your own situation...

Regards,

Bill Lavalette
Chief Security Officer
CyberBase7 Security Services METRO-SOC
Email:billl () cyberbase7 com
WWW:http://www.cyberbase7.com

-----Original Message-----
From: William Kupersanin [mailto:kuper () glue umd edu]
Sent: Friday, November 15, 2002 10:34 AM
To: security-basics () securityfocus com
Subject: Contractors on Company Networks - Network segregation



We have been struggling with the problem of how to safely allow
contractors onto our network while keeping them from sensitive corporate
resources. One of the models that we have been looking at is one seen in
some hotels and internet cafes where a user is initially brought up on a
network that provides access to only a dhcp server and a web server where
that person can then register for additional access. After registration
the user is then able to freely access Internet resources.

I am wondering if anyone on the list has implemented, or thought about
implementing, such a system and how it might be done.

Some thoughts that occur to me is setting the network up behind a firewall
that initially shuns all ip addresses until a provisioning process
(triggered by the registration) causes the firewall to "unshun" the
device for some specified period of time.

Another thought that occurred to me is that a user could come
up on a limited VLAN and then change their VLAN membership after
registration. My only problem with this is that I don't know how to safely
get the commands from the web server/provisioner to the switch in order to
change the VLAN.

If anyone has any ideas or comments, or can point me towards any resources
that discuss this issue, I would greatly appreciate it.

-- Willie