RE: Vendor wants remote control of our Servers and Workstations

[Paul Carroll <PaulC () CLC PITT EDU>]

If you do not feel 100% comfortable with someone else entering your network,
then don't do it.

Paul J Carroll
Technical Manager
412.281.7488

-----Original Message-----
From: Glenn English [mailto:ghe () slsware com] 
Sent: Monday, March 10, 2003 1:00 PM
To: security-basics () securityfocus com
Subject: RE: Vendor wants remote control of our Servers and Workstations

On Mon, 2003-03-10 at 07:45, John Brightwell wrote:

> Personally I think allowing this level of access to an
> internal system is a big risk. Bear in mind that if
> this vendor uses the same method to support a number
> of customers the vendor may be a choice subject to
> attack (someone may break into their network to gain
> access to a targetted customer network). So, even if
> your company isn't a premium target you may still get
> hit.

> I'll be interested to hear other people's comments ...
> more and more vendors are proposing this sort of
> support access (they save a lot of time in dealing
> with problems because they don't have to interact with
> the customer - I'd say that they can also 'relax' the
> quality requirements in recruiting engineers because
> their deficiancy is less obvious to the customer when
> there's little interaction). 

I'm but a newbie, but according to 'most everything I've read here and
in books, this customer's request falls into the "don't be silly"
category: giving that kind of access to your networks and servers just
isn't done.

Might it not be better to install a new machine, call the arrangement
with them "co-location", and let them do anything with it they want? And
then have them give *you* access to *their* machine?

It is, of course, possible that I'm missing something here...

-- 
Glenn English
ghe () slsware com