Re: Vendor wants remote control of our Servers and Workstations
From: James Lee Gromoll (firstname.lastname@example.org)
From: "James Lee Gromoll" <email@example.com> To: firstname.lastname@example.org Date: Fri, 07 Mar 2003 13:30:42 -0800
Take a look at their corporate homepage. I'm not sure what I think after I
looked at their staff bio's. I did not see any computer science backgrounds
and that makes me wonder..... If it were me, I would want control over how
they do business or a real warm fuzzy feeling about the specific consultant
working the project.
>From: "David M. Fetter" <email@example.com>
>To: tony tony <firstname.lastname@example.org>
>Subject: Re: Vendor wants remote control of our Servers and Workstations
>Date: Thu, 06 Mar 2003 18:13:46 -0800
>Is this vendor going to be a long term solution? It sounds like a lot of
>hassle if they are only going to be there on a short term. Assuming they
>are long term, VPN is probably the best method. At least then, only a
>couple ports need to be opened up on the firewall and the traffic will be
>encrypted. However, the thing to check or try to push for, is to validate
>how secure the vendors' network is. If their network is not secure and
>they are compromised then so is your network. If they don't have proper
>security policies and measures in place and your companies data is
>considered sensitive, then it could present a huge security hole. It
>basically like making a backdoor into your network through theirs.
>tony tony wrote:
>>We have an outside vendor (StellarRAD) that wants to come into our network
>>VPN) and use pcAnywhere to maintain his software on 5 production servers.
>>Vendor wants to also use a product like Blue Ocean to remotely control our
>>workstations to help users with software problems (ie software is
>>for trouble shooting. Blue Ocean software allows bi-directional file
>>and chat between the vendor and work stations.
>>I approve all tickets for firewall changes. I told our firewall and
>>people that this ticket just does not *smell right* and I will conduct
>>research on the security issues. As always, the vendor/network/firewall
>>are putting the heat on to me to approve the ticket ASAP.
>>In your opinion what are all the security issues? What should I recommend
>>more secure way for 1) the vendor to access the StellarRAD production
>>remotely and 2) help our users?
>>Tony Torri CISSP, CISA, CDP, CIA
>>Senior IS Security & Risk Manager
>>Northern Telecom LLP
>>Do you Yahoo!?
>>Yahoo! Tax Center - forms, calculators, tips, more
>David M. Fetter - http://www.fetterconsulting.com/
>"The world is full of power and energy and a person can go far by just
>skimming off a tiny bit of it." Neal Stephenson - Snow Crash
Protect your PC - get McAfee.com VirusScan Online