Re: Application requires VPN - How are these handled?

[Mike Scher <mscher () neohapsis com>]

On Wed, 2 Apr 2003, Mikael Olsson wrote:
> And, yes, I can see why $bigco would want to put in a clause saying
> "put wireless units on your LAN and we'll sue/cut the connection".
> I'm all for it :)

Well, good, but again, at a large company the asking vendor is just one
among dozens of vendors asking for similar access.  Will the vendor agree
to carry $10M in E&O insurance, list $bigco as a beneficiary, and agree to
indemnify them against all costs associated with a security breach on
vendor's end via which $bigco is harmed?

I've negotiated a number of these working with $bigcos -- and it was
almost always $another_bigco that wanted the ACL-free lan-to-lan
connection under their control.  The $another_bigco was always "sure"
their security was good.  They usually said, "You can trust us!"  When it
came to brass tacks and we said, "if it's so good, you won't mind agreeing
to indemnify us and showing us proof of insurance with $bigco as a named
3rd party beneficiary," they usually balked and agreed to our alternative.

That said, a lan-to-lan connect terminating in a 'vendor landing zone'
with access controls, select application proxies, and monitoring made a
lot more sense for us back then; it has continued to make sense for every
large client we have.  It puts the monitoring of all these various and
sundry pipes in one place, under one audit chain.  The alternative is
*dozens* of lan-to-lan holes in the firewall going straight to the
corporate core.

      -M

-- 
Michael Brian Scher     |     Director, Neohapsis Labs
mscher () neohapsis com    |     General Counsel
Fax: 773-394-8314       |     Vox: 773-394-8310
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards