Home page logo

basics logo Security Basics mailing list archives

Re: VPN Access for Consultants
From: Mike Bowler <mbowler () GargoyleSoftware com>
Date: Thu, 20 Nov 2003 13:45:39 -0500

I consult on software development not security, so apply as much skeptism as you feel appropriate ;-)

> We have several consultants working for my company and they have
> requested that I allow vpn access through our firewall to their
> company.  They want to be able to access their network and our network
> at the same time (tunnel).

As a consultant, I would not expect any company to allow me to set up a VPN between their network and my own. I *would* think it reasonable to allow an SSH connection outwards from your network but even this would be considered on a case by case basis.

Even though both are exposing holes in the firewall, VPN and SSH are quite different in intent. An SSH tunnel is opened for a very specific purpose whereas a VPN is an open bridge that anything can cross.

Additionally, people comfortable with SSH tend to be more aware of security issues than others so I'd be more inclined to give access to someone who had specifically asked for SSH access. I'd still want to know that they had an understanding of security issues but asking for SSH would be a good indicator that they might have a clue.

Having said that, I would not consider it unreasonable for you to deny access to both VPN and SSH.

> I told them no, I do not want to create a tunnel between
> my network and theirs but I would allow them to plug their laptops
> into the dmz or outside the firewall so they can access their network.

I think that this is an extremely reasonable compromise. I'd be interested to hear what they want to do that cannot be met by this.

> Do you allow it if the remote network was confirmed to be secure?

I wouldn't assume that any outside network was secure.

Mike Bowler
Principal, Gargoyle Software Inc.
Voice: (416) 822-0973 | Email  : mbowler () GargoyleSoftware com
Fax  : (416) 822-0975 | Website: http://www.GargoyleSoftware.com


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]