Security's Everyman

Security's Everyman

Friday, March 30, 2007

Just Trust Us (Update)

I stuck to my guns and received a sanatized copy of their router config. Now I'm ready to do business.


A vendor needs access to some systems on our network. They installed a Frame-Relay circuit and sent me a router to connect to the Frame and our network. I told them that before I could connect it I needed to see a copy of the router config because I wanted to see exactly what they are doing so I can make sure that I have the proper controls in place on my side. I also wanted to have something to show the auditors when they ask "What is that router for?"

The vendor told me that they didn't share their configs with customers. I completely understand because I wouldn't give my configs to just anyone. They could give me a sanitized copy of the config. They just want me to trust them without any questions asked. Now I don't have any reason to not trust them. Many other customers of theirs have this same setup, but I still have a problem with them wanting me to put this on my network blindly. I'm still working through this. Management is putting pressure on me to get this completed, but at least they are being understanding of why I'm sticking to my guns.

If any of the rest of you have run into a similar situation how did you handle it? I'd love to hear your stories.


rybolov said...

Only one way to deal with vendors and business partners. You firewall them off with something you control. Never, ever, ever route them directly into your network core without any controls.

A good interconnect follows this pattern: our firewall, our router, circuit, your router, your firewall. There are a couple variants of this, but at the bare minimum you have to control a firewall between us and them. If they want to do the same on their side, then that's their prerogative.

The reason for this architecture is that if you attack us, I can cut the connection. If we attack you, you can cut the connection.

It's not a secret by this point that I'm a closet NIST cheerleader, but check out NIST SP 800-47. Some of it isn't for you, like you probably don't have certification and accreditation and the like, but the concept is at least an OK framework to look at.

Anonymous said...

I completely agree with rybolov, no matter what firewall off that frame circuit from you network. Then you have control over what actually gets into your network from that 'back door'.

If anyone questions this approach what will work best is if you have any policies about security on your network. Such as only machines that have up to date AV software are allowed on the network. Only certain OSs are allowed, etc, etc. With a back door frame circuit terminating directly into your network you are effectively adding that vendor's network to your network and how can you guarantee that their security is up to your standards.

It is just a HUGE can of worms having anything more than the absolute minimum of trust with their network.

As an auditor (which is part of my day to day job function) not only would I note that router, your ignorance of the config but I would also not the potential risk that it exposes your network too. To me this would be a high risk finding and my recommendation would be firewall yourself off from them at a minimum, ideally though I'd recommend fire-walling and only enabling access to your network when that vendor needs it.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.