Security Basics mailing list archives
Re: VPN Access for Consultants
From: Alessandro <a.bottonelli () infinito it>
Date: Thu, 20 Nov 2003 19:16:26 +0100
On Thursday 20 November 2003 00:28, Jennifer Fountain wrote:
They proceeded to look at me like I had six heads and act like I was the only security admin that wouldn't allow this. What is the general consensus on this type of activity? What policies do you have implemented? Do you allow it if the remote network was confirmed to be secure?
Oh well, it much depends on what kind of data / information your external consultants work on. Does your policy have a classification criteria, if so what does it say about, for the sake of example, the remote access of confidential information? Do not forget, then, that once they unplug their laptops they may have recorded YOUR data on their hard disks and can roam happily on planes, trains and anywhere with YOUR data (and laptops are easy to forget somewhere or to be stolen anyway). I would be personally more concerned with administrative countermeasures than trying to technically assess their networks security (for example there may be a clause in their contracts about (not) storing your data locally or about what kind of measures you ask them to take if they do). Besides, if the tunnel is crypted (efficiently) end-to-end (or laptop to your border-router) what do you care what networks they traverse in the process? -- Alessandro Bottonelli CISSP, BS7799 Lead Auditor www.axis-net.it --------------------------------------------------------------------------- ----------------------------------------------------------------------------
Current thread:
- VPN Access for Consultants Jennifer Fountain (Nov 20)
- RE: VPN Access for Consultants David Gillett (Nov 20)
- Re: VPN Access for Consultants Mike Bowler (Nov 20)
- Re: VPN Access for Consultants Steve (Nov 20)
- Re: VPN Access for Consultants lennons (Nov 21)
- Re: VPN Access for Consultants (Little Late) Gabriel Orozco (Nov 25)
- RE: VPN Access for Consultants (Little Late) David Gillett (Nov 25)
- Re: VPN Access for Consultants (Little Late) Jimi Thompson (Nov 26)
- Re: VPN Access for Consultants lennons (Nov 21)
- Re: VPN Access for Consultants Alessandro (Nov 20)
- Re: VPN Access for Consultants Byron Sonne (Nov 21)
- Re: VPN Access for Consultants crtech (Nov 23)
- <Possible follow-ups>
- VPN Access for Consultants Louis Cypher (Nov 21)