Security Basics mailing list archives
Re: Vendor wants remote control of our Servers and Workstations
From: "James Lee Gromoll" <jgromoll () hotmail com>
Date: Fri, 07 Mar 2003 13:30:42 -0800
Take a look at their corporate homepage. I'm not sure what I think after I looked at their staff bio's. I did not see any computer science backgrounds and that makes me wonder..... If it were me, I would want control over how they do business or a real warm fuzzy feeling about the specific consultant working the project.
From: "David M. Fetter" <david.fetter () fetterconsulting com> To: tony tony <tonytorri () yahoo com> CC: security-basics () securityfocus com Subject: Re: Vendor wants remote control of our Servers and Workstations Date: Thu, 06 Mar 2003 18:13:46 -0800Is this vendor going to be a long term solution? It sounds like a lot of hassle if they are only going to be there on a short term. Assuming they are long term, VPN is probably the best method. At least then, only a couple ports need to be opened up on the firewall and the traffic will be encrypted. However, the thing to check or try to push for, is to validate how secure the vendors' network is. If their network is not secure and they are compromised then so is your network. If they don't have proper security policies and measures in place and your companies data is considered sensitive, then it could present a huge security hole. It basically like making a backdoor into your network through theirs.tony tony wrote:FolksWe have an outside vendor (StellarRAD) that wants to come into our network (via VPN) and use pcAnywhere to maintain his software on 5 production servers. Vendor wants to also use a product like Blue Ocean to remotely control our workstations to help users with software problems (ie software is complex)or for trouble shooting. Blue Ocean software allows bi-directional file transfersand chat between the vendor and work stations.I approve all tickets for firewall changes. I told our firewall and network people that this ticket just does not *smell right* and I will conduct some research on the security issues. As always, the vendor/network/firewall peopleare putting the heat on to me to approve the ticket ASAP.In your opinion what are all the security issues? What should I recommend as a more secure way for 1) the vendor to access the StellarRAD production serversremotely and 2) help our users? ===== Tony Torri CISSP, CISA, CDP, CIA Senior IS Security & Risk Manager 360.906.7893 (Work) Northern Telecom LLP __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/-- David M. Fetter - http://www.fetterconsulting.com/"The world is full of power and energy and a person can go far by just skimming off a tiny bit of it." Neal Stephenson - Snow Crash
_________________________________________________________________Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
Current thread:
- Vendor wants remote control of our Servers and Workstations tony tony (Mar 06)
- RE: Vendor wants remote control of our Servers and Workstations Patrick S. Harper - CISSP (Mar 07)
- RE: Vendor wants remote control of our Servers and Workstations Burton M. Strauss III (Mar 07)
- Re: Vendor wants remote control of our Servers and Workstations David M. Fetter (Mar 07)
- <Possible follow-ups>
- RE: Vendor wants remote control of our Servers and Workstations Michael Parker (Mar 07)
- Re: Vendor wants remote control of our Servers and Workstations James Lee Gromoll (Mar 07)
- RE: Vendor wants remote control of our Servers and Workstations John Brightwell (Mar 10)
- RE: Vendor wants remote control of our Servers and Workstations Glenn English (Mar 11)
- RE: Vendor wants remote control of our Servers and Workstations Paul Carroll (Mar 17)