RE: Vendor Remote Access

[Kevin Martin]

Where I previously worked we allowed the vendor to VPN in with a client that we 
provided and ran PCAnywhere in the mode where they could connect but not control the 
machine and then a local admin would work with the vendor to work thru whatever 
problem was trying to be fixed.  Somewhat cumbersome but much safer this way.  
Obviously, the local admin needed to understand what the problem was and which 
applications the vendor needed to debug so-as not to give away any more information 
about internal "stuff" than was necessary.
 
Good luck.
 
Kevin

        -----Original Message----- 
        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] 
        Sent: Thu 4/18/2002 2:18 PM 
        To: [EMAIL PROTECTED]; [EMAIL PROTECTED] 
        Cc: 
        Subject: RE: Vendor Remote Access
        
        

        You are between a rock and a hard place with this one.  In this case, the
        dial-up access required for your support will break the security model you
        have in place with a VPN because it bypasses it completely.  I have seen
        other systems where the customer (you) keeps a generic system on the side,
        with all the vendor apps. loaded on it, with a connection only to the
        outside via phoneline, so the vendor support is happy, and then resolves
        most of their problems themselves.  This requires a religious understanding
        of the software, however, and may not solve your issues, as the problem may
        not be replicatable on the removed system, so they won't be able to solve
        it.  You are in a unique system because of all the security concerns around
        personal records, criminal records (not sure where in the county system you
        work), etc....
        My personal recommendation is that you provide the vendors access to ONLY
        their apps, via ACL's and system permissions in your O/S.
        
        
        
        Jeff Neithercutt  CNA, GSEC
        Wells Fargo Bank
        Corporate Information Protection
        155 5th Street  MAC 0186-030
        San Francisco, CA.  94103
        (415)243-5549
        
        
        -----Original Message-----
        From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
        Sent: Wednesday, April 17, 2002 2:39 PM
        To: [EMAIL PROTECTED]
        Subject: Vendor Remote Access
        
        
        Our organization works with many third party vendors.
        
        If a deparment buys a new application from a vendor, it usually comes with
        support. This
        means they should be able to access the server remotely.
        
        Some require PCAnywhere to be installed on the server and can be accessed
        via dial-up systems(modem banks).
        
        We have plans to install VPN in the future. If we do get a VPN system. Don't
        the vendor
        still require some kind of remote control software to administer their
        application ?
        
        We just want them to administer their application and NOT operating system.
        
        Please let me know what you think ?
        
        Thanks,
        Jaime