Educause Security Discussion mailing list archives

Re: Vendor Server Access

From: "Greene, Chip" <cgreene2 () RICHMOND EDU>
Date: Fri, 24 Sep 2010 11:54:12 -0400

We set up each of our vendors with unique credentials and allow them VPN access.  Each credential is stored in a 
database with a responsible university employee assigned.  All traffic is tunneled to campus and only allow traffic to 
their specific servers, and only the necessary ports to complete their support function (rdp, ssh, etc.)  Vendors 
Internet access is blocked while vpn'd into network also.  On top of the network security, we require vendors to have 
individual login credentials to the servers they support.  Local firewalls only allow specific traffic from the vendor 
reserved IP address as well.  All of these connections are documented in a server/application portology diagram as well.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Abreu, 
Jose A
Sent: Friday, September 24, 2010 11:37 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: [SECURITY] Vendor Server Access

We are in the process of setting up new guidelines on how vendors access our servers as well as application owners.  
Can you share any insight on how your institution is handling this?

Jose Abreu
University of Miami
(Voice) 305.284.5213 (Fax) 305-284-5213


________________________________
Information Services (including the HelpDesk) will NEVER ask for your password or other personal data via email. 
Messages requesting such details are fraudulent. DELETE THEM WITHOUT REPLY.

Current thread:

Vendor Server Access Abreu, Jose A (Sep 24)
- Re: Vendor Server Access Julian Y. Koh (Sep 24)
- Re: Vendor Server Access Alex Keller (Sep 24)
- Re: Vendor Server Access Greene, Chip (Sep 24)
- Re: Vendor Server Access Jeff Kell (Sep 24)
  - Re: Vendor Server Access Bradley, Stephen W. Mr. (Sep 26)
- Re: Vendor Server Access Hugh Burley (Sep 24)