Re: Vendor wants remote control of our Servers and Workstations

From: James Lee Gromoll (jgromoll@hotmail.com)
Date: 03/07/03

  • Next message: John O'Connor: "Re: Telnet vs PcAnywhere"
    From: "James Lee Gromoll" <jgromoll@hotmail.com>
    To: security-basics@securityfocus.com
    Date: Fri, 07 Mar 2003 13:30:42 -0800
    
    

    Take a look at their corporate homepage. I'm not sure what I think after I
    looked at their staff bio's. I did not see any computer science backgrounds
    and that makes me wonder..... If it were me, I would want control over how
    they do business or a real warm fuzzy feeling about the specific consultant
    working the project.

    >From: "David M. Fetter" <david.fetter@fetterconsulting.com>
    >To: tony tony <tonytorri@yahoo.com>
    >CC: security-basics@securityfocus.com
    >Subject: Re: Vendor wants remote control of our Servers and Workstations
    >Date: Thu, 06 Mar 2003 18:13:46 -0800
    >
    >Is this vendor going to be a long term solution? It sounds like a lot of
    >hassle if they are only going to be there on a short term. Assuming they
    >are long term, VPN is probably the best method. At least then, only a
    >couple ports need to be opened up on the firewall and the traffic will be
    >encrypted. However, the thing to check or try to push for, is to validate
    >how secure the vendors' network is. If their network is not secure and
    >they are compromised then so is your network. If they don't have proper
    >security policies and measures in place and your companies data is
    >considered sensitive, then it could present a huge security hole. It
    >basically like making a backdoor into your network through theirs.
    >
    >tony tony wrote:
    >>Folks
    >>
    >>We have an outside vendor (StellarRAD) that wants to come into our network
    >>(via
    >>VPN) and use pcAnywhere to maintain his software on 5 production servers.
    >>Vendor wants to also use a product like Blue Ocean to remotely control our
    >>workstations to help users with software problems (ie software is
    >>complex)or
    >>for trouble shooting. Blue Ocean software allows bi-directional file
    >>transfers
    >>and chat between the vendor and work stations.
    >>
    >>I approve all tickets for firewall changes. I told our firewall and
    >>network
    >>people that this ticket just does not *smell right* and I will conduct
    >>some
    >>research on the security issues. As always, the vendor/network/firewall
    >>people
    >>are putting the heat on to me to approve the ticket ASAP.
    >>
    >>In your opinion what are all the security issues? What should I recommend
    >>as a
    >>more secure way for 1) the vendor to access the StellarRAD production
    >>servers
    >>remotely and 2) help our users?
    >>
    >>=====
    >>Tony Torri CISSP, CISA, CDP, CIA
    >>Senior IS Security & Risk Manager
    >>360.906.7893 (Work)
    >>Northern Telecom LLP
    >>
    >>__________________________________________________
    >>Do you Yahoo!?
    >>Yahoo! Tax Center - forms, calculators, tips, more
    >>http://taxes.yahoo.com/
    >>
    >>
    >>
    >
    >
    >--
    >David M. Fetter - http://www.fetterconsulting.com/
    >
    >"The world is full of power and energy and a person can go far by just
    >skimming off a tiny bit of it." Neal Stephenson - Snow Crash

    _________________________________________________________________
    Protect your PC - get McAfee.com VirusScan Online
    http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963


  • Next message: John O'Connor: "Re: Telnet vs PcAnywhere"