Re: Vendor Network Access

[John Kaftan <jkaftan () CAYUGA-CC EDU>]

Thanks Dennis:

I am on the fence about this.  For IT whenever someone needs to come in to support us we do a screen share from the 
Network guys’ PCs.  I am tempted to require this same sort of access with the HVAC vendor.  If a vendor needs to get in 
they have to have someone on our side to initiate the “Join.me” or “Webex” etc. connection and sit there and work with 
the vendor.  That way it would be for more of a support role and our HVAC guys would be able to see what is going on so 
they can learn and need less help.

I agree, if we allowed it at all, there would have to be total segmentation which there should be anyway, even if 
nobody is coming in from afar.

What I am wondering is if anyone has a list of hoops the vendor would need to jump through before we would allow this, 
e.g.


1.       Passwords on HVAC equipment must be changed from default.

2.       All network protocols must be secure, no HTTP or Telnet.

3.       Connections will only be allowed from a single corporate IP address

4.       Only RDP traffic will be allowed to an onsite server for the HVAC equipment via VPN or RDG (RDP Gateway)

5.       No site unique information can be stored on tech laptops

6.       Each tech must have their own login to the server

I’m not saying all of these are necessary but they are few that come to mind.

John



From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Dennis 
Bohn
Sent: Tuesday, October 21, 2014 7:32 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Vendor Network Access

Hi John,
When this issue first reared its ugly head ten years ago, we made the decision to segment off all HVAC/BMS (Building 
Management Systems) from the rest of our network.  We initially created a separate vlan which routed only to a small 
firewall dedicated to the BMS.  Now we are moving to VRFs but wiht the same principle.  I highly recommend the 
segmentation approach.  Then it is up to facilities what their vendors have access to and what happens.

HTH,
dennis

Dennis Bohn
Manager of Network and Systems
Adelphi University
bohn () adelphi edu<mailto:bohn () adelphi edu>
5168773327

On Mon, Oct 20, 2014 at 5:08 PM, John Kaftan <jkaftan () cayuga-cc edu<mailto:jkaftan () cayuga-cc edu>> wrote:
We have a HVAC vendor wanting to get in so they can manage equipment remotely.  I know this can be a huge security risk 
an in it could make me a huge “Target”.  Does anyone have a Vendor Remote Access Policy that they would be willing to 
share?

Thanks,

John Kaftan
Dean of Information Technology
Cayuga Community College
315.294.8520<tel:315.294.8520>
It’s all about the students.