Security Basics mailing list archives
RE: Vendor wants remote control of our Servers and Workstations
From: "Burton M. Strauss III" <BStrauss () acm org>
Date: Thu, 6 Mar 2003 15:20:59 -0600
With a VPN you don't have to worry about the traffic on the public network - that will be encrypted. And you can insist upon strong authentication for the tunnel itself. What you do have to worry about is what they can do once they're inside. Unless you erect an internal firewall around the PC Anywhere machines and the production servers, what else can they see/do? With PC Anywhere, it's essentially as if they're sitting on a PC inside the network with full access to everything on that PC. Obviously and necessarily that gives then access to the production servers that they need. And you assume (or verify) that there's language in the contract about what they do with that access... But stop and thing what they COULD do, if they were sitting on a PC on your network with unfettered access. All of your nightmare scenarios about what a disgruntled employee could do, have now been extended to this 3rd party. And all of their disgruntled employees... They could install a network sniffer, one that operates INSIDE the firewall. They could map the network. Etc. -----Burton -----Original Message----- From: tony tony [mailto:tonytorri () yahoo com] Sent: Wednesday, March 05, 2003 9:17 PM To: security-basics () securityfocus com Subject: Vendor wants remote control of our Servers and Workstations Folks We have an outside vendor (StellarRAD) that wants to come into our network (via VPN) and use pcAnywhere to maintain his software on 5 production servers. Vendor wants to also use a product like Blue Ocean to remotely control our workstations to help users with software problems (ie software is complex)or for trouble shooting. Blue Ocean software allows bi-directional file transfers and chat between the vendor and work stations. I approve all tickets for firewall changes. I told our firewall and network people that this ticket just does not *smell right* and I will conduct some research on the security issues. As always, the vendor/network/firewall people are putting the heat on to me to approve the ticket ASAP. In your opinion what are all the security issues? What should I recommend as a more secure way for 1) the vendor to access the StellarRAD production servers remotely and 2) help our users? ===== Tony Torri CISSP, CISA, CDP, CIA Senior IS Security & Risk Manager 360.906.7893 (Work) Northern Telecom LLP __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
Current thread:
- Vendor wants remote control of our Servers and Workstations tony tony (Mar 06)
- RE: Vendor wants remote control of our Servers and Workstations Patrick S. Harper - CISSP (Mar 07)
- RE: Vendor wants remote control of our Servers and Workstations Burton M. Strauss III (Mar 07)
- Re: Vendor wants remote control of our Servers and Workstations David M. Fetter (Mar 07)
- <Possible follow-ups>
- RE: Vendor wants remote control of our Servers and Workstations Michael Parker (Mar 07)
- Re: Vendor wants remote control of our Servers and Workstations James Lee Gromoll (Mar 07)
- RE: Vendor wants remote control of our Servers and Workstations John Brightwell (Mar 10)
- RE: Vendor wants remote control of our Servers and Workstations Glenn English (Mar 11)
- RE: Vendor wants remote control of our Servers and Workstations Paul Carroll (Mar 17)