A vendor needs access to some systems on our network. They installed a Frame-Relay circuit and sent me a router to connect to the Frame and our network. I told them that before I could connect it I needed to see a copy of the router config because I wanted to see exactly what they are doing so I can make sure that I have the proper controls in place on my side. I also wanted to have something to show the auditors when they ask "What is that router for?"
The vendor told me that they didn't share their configs with customers. I completely understand because I wouldn't give my configs to just anyone. They could give me a sanitized copy of the config. They just want me to trust them without any questions asked. Now I don't have any reason to not trust them. Many other customers of theirs have this same setup, but I still have a problem with them wanting me to put this on my network blindly. I'm still working through this. Management is putting pressure on me to get this completed, but at least they are being understanding of why I'm sticking to my guns.
If any of the rest of you have run into a similar situation how did you handle it? I'd love to hear your stories.
Security's Everyman
Friday, March 23, 2007
Just Trust Us
Posted by Andy, ITGuy at 7:28 AM
Labels: Andy ITGuy, information security
Subscribe to:
Post Comments (Atom)
10 comments:
The config on their router won't really matter as long as you have control over what routes *out* of their router. I know that the typical Extranet or Business Partner Network (BPN) should be controlled by both a policy router (control site-to-site data leakage) and a firewall (control what leaves the BPN).
Stick to your guns, Andy. Either get a copy of the router configuration or go out and guy a cheap Linksys router and put it between their router and your network. You need to know what sort of traffic is going to be flowing in and out of your network and make certain that it's only doing what it should be doing. Their entry point should be going into a DMZ of some sort on your network so you have some control over the traffic and can limit it to only the systems they actually need to connect to.
I'm glad to hear your management's backing you up on this.
Andy,
One of the benefits of information-centric security is that these kinds of network security problems are minimized, because one has access, usage and audit control at the data level.
It is really a matter of granularity of control. You will notice that Martin speaks of system access, I speak of data access on those same systems.
All the traffic which is originating through the vendor provided router must be screened by a low end firewall on your side and also if some additional authentication can be enforced by way of two factor authentication then it will be very useful to track the users too.
The answer is, don't trust them. You'll need to understand the business case and reasons for this connection. Once you have that information, put in your own controls to ensure the connection and the data conforms as the business expects. You can't anticpate everything, but at least put in measures to audit everything going over that line. And oh ya, keep every email and change control log of everything you do with this. It will save you in the end.
Andy,
This is one of those catch-22 situations that aggravate security managers and consultants / vendors alike. Though not an exact match to your situation, I have been involved in a POC at a customer site where they do not want to provide the credentials we need to have the product function correctly. They insist on testing the product with lesser privileges, and they wonder why things don't work and insist that we told them they didn't need the rights we are asking for.
My issue is that I understand both sides because I have been on both sides. Oh well.
Michael
Wow! Thanks for all the comments. It's great to hear from BOTH sides on this. I know what to do to make this safe because I know where they need to go and can limit the traffic, but I just really think that I should be able to see what they are doing on their end so I can make sure there isn't anything "odd" going on that I need to watch for. The systems that they are needing access to are sensitive in nature and I would hate for the vendors network to be compromised and then for that to open a door to my systems. As you all know that just because I can limit them to specific systems I can't (don't have tools to) prevent those systems from being compromised and used to attack the rest of the network. Unfortunately these systems are not PC's that I can put end point security on.
Hack the router once you get it in your grubby little hands, of course!
Seriously, though, situations like that just suck. The security butts directly up against the "just get it done" mentality of business. Do you let this one slide and risk always losing these battles? Do you get a different vendor? Do you stick to your guns and risk getting on the wrong side of the business because you're "not being cooperative?"
Such complications!
Of course, you can mitigate, as I think was mentioned above. Drop a firewall or packet inspection device right in behind the router (or whichever side[s] are appropriate) and actually treat it as an untrusted device and lock that sucker down from the wire.
This will just have to be additional cost to both the business and the vendor, although not likely much; just your time, admin overhead, and hardware which is likely not going to be ferrari-like servers anyway. You can get things done and still make your point about doing things the secure way costing the company less over the long haul as opposed to gambling and/or pretending the issues don't apply.
Don't trust them.
Not because you don't trust THEM but because you don't (or shouldn't) trust ANYONE or ANYTHING outside your area of control.
The only safe & sensible thing is to do as mckeay suggests and put a firewall as your last point of control before the untrusted internet.
You're only dating, not maried to the provider. Trust is a multi-level thing. Sure you trust them, but take precautions.
For me, i would explain the risk factor of the situation. Its not a matter of trust but a matter of precaution just in case shit happens.
http://hackathology.blogspot.com
Post a Comment