Where I previously worked we allowed the vendor to VPN in with a client that we
provided and ran PCAnywhere in the mode where they could connect but not control the
machine and then a local admin would work with the vendor to work thru whatever
problem was trying to be fixed. Somewhat cumbersome but much safer this way.
Obviously, the local admin needed to understand what the problem was and which
applications the vendor needed to debug so-as not to give away any more information
about internal "stuff" than was necessary.
Good luck.
Kevin
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Thu 4/18/2002 2:18 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc:
Subject: RE: Vendor Remote Access
You are between a rock and a hard place with this one. In this case, the
dial-up access required for your support will break the security model you
have in place with a VPN because it bypasses it completely. I have seen
other systems where the customer (you) keeps a generic system on the side,
with all the vendor apps. loaded on it, with a connection only to the
outside via phoneline, so the vendor support is happy, and then resolves
most of their problems themselves. This requires a religious understanding
of the software, however, and may not solve your issues, as the problem may
not be replicatable on the removed system, so they won't be able to solve
it. You are in a unique system because of all the security concerns around
personal records, criminal records (not sure where in the county system you
work), etc....
My personal recommendation is that you provide the vendors access to ONLY
their apps, via ACL's and system permissions in your O/S.
Jeff Neithercutt CNA, GSEC
Wells Fargo Bank
Corporate Information Protection
155 5th Street MAC 0186-030
San Francisco, CA. 94103
(415)243-5549
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Wednesday, April 17, 2002 2:39 PM
To: [EMAIL PROTECTED]
Subject: Vendor Remote Access
Our organization works with many third party vendors.
If a deparment buys a new application from a vendor, it usually comes with
support. This
means they should be able to access the server remotely.
Some require PCAnywhere to be installed on the server and can be accessed
via dial-up systems(modem banks).
We have plans to install VPN in the future. If we do get a VPN system. Don't
the vendor
still require some kind of remote control software to administer their
application ?
We just want them to administer their application and NOT operating system.
Please let me know what you think ?
Thanks,
Jaime