Security Basics mailing list archives
RE: Vendor wants remote control of our Servers and Workstations
From: John Brightwell <brightwell_151 () yahoo co uk>
Date: Mon, 10 Mar 2003 14:45:37 +0000 (GMT)
Of course the age-old problem with security is that the access restriction can impact on usability or support. If you go ahead with the proposed solution then the Vendor has significant access to your internal network. How much do you trust the vendor? Are they liable for any damage they cause while connected? Is their network secure? (after all, they are setting up VPNs to various customers ... do they have their firewall rules setup correctly. Are they physically secure) How do they manage the access control of the remote control app- I'm guessing it's passsword based (do they take due care in enforcing/protecting/changing the passwords) Could one of their contracted cleaners/caretakers sit at an engineers PC at night and logon using the password scribbled down on a postit note. What about disaffected vendor employees? Virus/Worm propagation (you're bypassing your perimeter security and any first level filtering that would normally take place) Their security posture should be at least as secure as your own. What do you have to lose? If someone has access to your internal network what can they achieve? (commercial secrets, financial reward, damage to your systems or a third party) Personally I think allowing this level of access to an internal system is a big risk. Bear in mind that if this vendor uses the same method to support a number of customers the vendor may be a choice subject to attack (someone may break into their network to gain access to a targetted customer network). So, even if your company isn't a premium target you may still get hit. I'd find out how often they need to provide this service (no wild claims ... facts and figures stating what support calls they've dealt with in the past and how this would have been improved by the remote control solution) Get hold of a couple of reference sites to whom the Vendor provides this service and speak to your counterpart there (of course, they may not be keen to talk about such a hole in their security). Can the machines to which the vendor needs access be isolated in a separate DMZ How can the service be audited (otherwise they can't be held accountable for anything that goes wrong) What if an engineer who's having a bad day accidentally logs onto your site instead of another customer and makes significant changes ... if they know there's no auditing, what are the chances that they'll draw their mistake to your attention. Turn the heat back onto the people who are pressing you for a decision - get them to come back with more detail. What are the real benefits? (actual time and money saved) What other options are available? Can the systems be isolated and closely monitored? (at what cost) Can the firewall rules be added only for the period of the support call? (may be possible if the requirement is infrequent and can be scheduled) If you have any regulators or other bodies who may be concerned at such a security hole (such as an insurer)? Find out what their recommendation is... Ultimately you are an agent of the business, and if it makes sound business sense to provide this service then you need to work out how to manage the risk (as long as the business is aware of the issues). This may involve policy around how the service can be used, contractual agreements with the vendor on how they manage the security of the service (maybe even insurance to cover any potential damage) as well as technical measures to limit the scope of any attack coming via this route (extra firewalling, IDS, log monitoring) If the software is falling over so often that the vendor needs a permanent connection to keep on fixing the problems then maybe a different product should be used (do you really want them to be able to connect to production servers ... possibly without your knowledge). Similarly for the training issue. They are both nice features but the business should look at how much time (and money) is saved and compare that with the risk. In practise most support calls can be managed over the phone (with the customer developing a better understanding of the product through acting as the driver of the keyboard during the troubleshooting) and for the odd call that is more complex a site visit can be arranged (which is intuituively handled more securely by the staff than remote control which may be completely transparent to the customer) The 'Desktop Streaming' support concept from expresscity is an interesting idea ... this still represents a security risk but not quite as wide open (particularly if the service can be invoked so that the engineer has read-only access ... I don't know if this is possible) I'll be interested to hear other people's comments ... more and more vendors are proposing this sort of support access (they save a lot of time in dealing with problems because they don't have to interact with the customer - I'd say that they can also 'relax' the quality requirements in recruiting engineers because their deficiancy is less obvious to the customer when there's little interaction). I guess the benefit for the customer is similar. They can lose the technical support person and leave it to the vendor to directly support the product. I used to be a techie, and I found that the quality of support engineers to be found at vendors was extremely variable. If I was still a sys admin I wouldn't want a vendor engineer doing anything directly (and transparently) to my system without me having had a long term support relationship with them (even then I don't like the transparency of the service). Even if they know their own product inside out they could potentially impact on other services running on the device. -----Original Message----- From: tony tony [mailto:tonytorri () yahoo com] Sent: 06 March 2003 03:17 To: security-basics () securityfocus com Subject: Vendor wants remote control of our Servers and Workstations Folks We have an outside vendor (StellarRAD) that wants to come into our network (via VPN) and use pcAnywhere to maintain his software on 5 production servers. Vendor wants to also use a product like Blue Ocean to remotely control our workstations to help users with software problems (ie software is complex)or for trouble shooting. Blue Ocean software allows bi-directional file transfers and chat between the vendor and work stations. I approve all tickets for firewall changes. I told our firewall and network people that this ticket just does not *smell right* and I will conduct some research on the security issues. As always, the vendor/network/firewall people are putting the heat on to me to approve the ticket ASAP. In your opinion what are all the security issues? What should I recommend as a more secure way for 1) the vendor to access the StellarRAD production servers remotely and 2) help our users? ===== Tony Torri CISSP, CISA, CDP, CIA Senior IS Security & Risk Manager 360.906.7893 (Work) Northern Telecom LLP __________________________________________________ Do You Yahoo!? Everything you'll ever need on one web page from News and Sport to Email and Music Charts http://uk.my.yahoo.com
Current thread:
- Vendor wants remote control of our Servers and Workstations tony tony (Mar 06)
- RE: Vendor wants remote control of our Servers and Workstations Patrick S. Harper - CISSP (Mar 07)
- RE: Vendor wants remote control of our Servers and Workstations Burton M. Strauss III (Mar 07)
- Re: Vendor wants remote control of our Servers and Workstations David M. Fetter (Mar 07)
- <Possible follow-ups>
- RE: Vendor wants remote control of our Servers and Workstations Michael Parker (Mar 07)
- Re: Vendor wants remote control of our Servers and Workstations James Lee Gromoll (Mar 07)
- RE: Vendor wants remote control of our Servers and Workstations John Brightwell (Mar 10)
- RE: Vendor wants remote control of our Servers and Workstations Glenn English (Mar 11)
- RE: Vendor wants remote control of our Servers and Workstations Paul Carroll (Mar 17)