Educause Security Discussion mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vendor Network Access

From: Scott Link <linksg () SLU EDU>
Date: Mon, 20 Oct 2014 16:57:28 -0500
We get these. It's a joy.

Here's a couple of approaches:
1) If they're accessing during business hours, have someone in app support
team set up a web conference (WebEx, GoToMeeting, Fuze, etc.), connect to
the server, and then share the desktop. This provides some oversight, but
is not very flexible and ties up a staff member during support actions.
2) If the vendor has a set IP or range of IPs, allow them to RDP from those
IPs into a jump system that only has access to the target systems--e.g.,
publish RDP via Citrix, VDI via Xen, etc. (Presuming you already have one
of these systems in-hand for other remote users.) Allows for greater
flexibility and puts the system behind a "pane of glass". Lock down RDP to
prevent mounting drives and cut and paste--this will require coordination
to get updates, etc. onto the box(es).
3) Does VPN allow for user-based access? In other words, allow them to VPN
but the network they land on can only get to the target system. Greater
flexibility and riskier. You don't know the provence of the systems they're
connecting with--unless the VPN has security posture checking--, so there
is risk of malware, etc. coming in. There is accountability, at least, by
keying off username.

In all approaches, the target system(s) should be in its/their own DMZ, as
well. Restrict its access to other areas of the network, only allowing
access to devices it must manage, etc.

You're right to be concerned:
http://krebsonsecurity.com/2014/02/target-hackers-broke-in-via-hvac-company/


On Mon, Oct 20, 2014 at 4:08 PM, John Kaftan <jkaftan () cayuga-cc edu> wrote:


 We have a HVAC vendor wanting to get in so they can manage equipment
remotely.  I know this can be a huge security risk an in it could make me a
huge “Target”.  Does anyone have a Vendor Remote Access Policy that they
would be willing to share?



Thanks,



John Kaftan

Dean of Information Technology

Cayuga Community College

315.294.8520

*It’s all about the students.*







-- 
Scott Link
Manager, ITS Infrastructure Operations Security
Saint Louis University
www.slu.edu
314.977.9713
Previous By Date Next
Previous By Thread Next

Current thread: