Exposing an IP Address

0 pts.
Tags:
Cabling
Hardware
Hubs
Networking
Routers
Switches
One of my customers wants to use a software vendor who insists on having the IP address of the server which will host his software. he says this is so he can apply daily updates to the software. I am not comfortable exposing the IP addresses of any machine of the network and need some assistance in getting this accomplished without jeopardizing the security of the network. There is a Cayman router using NAT supplying the building. Should I use Port forwarding or configure a VPN instead. The last thing I want to do is let anyone have complete control of a machine on the network without some security in place. Thanks in advance
ASKED: January 3, 2006  7:51 PM
UPDATED: January 8, 2006  12:05 PM

Answer Wiki

Thanks. We'll let you know when a new response is added.

Sounds suspicious. Why doesn’t he write a program that does the update. I would never open any port for a supplier updating anything. Who is to blame when things go wrong? I wouldn’t trust this supplier.

Discuss This Question: 11  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • Poppaman2
    On the surface (and perhaps a bit deeper than that...)I agree with Jcan123: Who is this guy, and why does he require (direct) access to my server? If this is a situation where a specific port needs access on the server's TCP/IP stack, then a VPN might be a possibility. Have the vendor supply the specific IP address of the system from which the updates will originate, so you can lock down access, IF that's the way you want to go. But again, why does he requires specific access???
    0 pointsBadges:
    report
  • Nephi1
    The only time I have heard of a supplier wanting access to a machine that belongs to a company was when I was starting out in the IT field (professionally). The local council where I worked allowed dial-in (IIRC) access to an OLD (about 10-15yr old, at the time) AIX machine that had a database and server functions on it. Even then the machine didnt really have much network capabilities to talk with the windows machines. I do agree with the previous 2 replies, why would the supplier need access to your machine. The only reason I can think of is if it's a "test" platform for the software and the supplier knows its going to be buggy. And for me, if I was been a guienea pig, I would have that machine on it's own network with explict access only and everything else would be denied. Well that was my 2 bob worth.
    0 pointsBadges:
    report
  • Petroleumman
    Hello, This request could be concieved as suspicious, but is actually a more common request than you may think. Configure a VPN and lock down the vendors access that way. You should be able set access to a single machine and restrict what he/she can and can't do from that machine. We use a hardware VPN solution by Juniper that provides us with very granular control and have had no problems. Consult the documentation for whatever VPN solution you have available to you to better understand it's limits and capabilities from a security stand. Then test some configurations first before opening anything up to your vendor. Also discuss your concerns with the vendor and set some sort of guidlines or rules for access. We use confidentiality agreements with any vendor or client requiring access through our VPN. This way you have something in writing to protect yourself legally. Good Luck!
    0 pointsBadges:
    report
  • Atomas
    Let people come in your network only under a controlled environment. Can be done with VPN but try not to use MS VPN (Use for example SecuRemote with Checkpoint but I see you have only a router) and manage the authorized traffic. Use static NAT with specific inbound rulebase. Dan
    0 pointsBadges:
    report
  • Stuntz
    Thank you all for your replies. Today I spoke with the Network admin from the vendor and was told they only need port 1223 open and the sending IP address. The client software will be listening on port 1223 for the updates. Wouldn't the sending IP address be the static IP of the router? The rep I spoke with earlier mentioned they needed complete access to the PC which in fact they do not.
    0 pointsBadges:
    report
  • DrillO
    There is a lesson in there for all of us.....NEVER take the word of a rep....this is just asking for trouble. I always, always talk to the guy that wants the access. Best, Paul
    15 pointsBadges:
    report
  • DrillO
    There is a lesson in there for all of us.....NEVER take the word of a rep....this is just asking for trouble. I always, always talk to the guy that wants the access. Best, Paul
    15 pointsBadges:
    report
  • Ursulus
    Hi! I'm not surprised you feel uncomfortable about this access but you haven't given enough detail of just what the vendor wants. If he needs desktop access to the server then setting an RDP connection through the router is probably the simplest. I don't usually use a VPN connection but rather configure the router to pass the RDP port, usually 3389, through the firewall to the server in question. If the vendor has a fixed IP address which you can use on the router to limit access on the 3389 port, all the better! It boils down to how much you trust the vendor because you are giving them significant access to the network. Happy New Year! Malcolm
    0 pointsBadges:
    report
  • Paul144hart
    Even accessing a single port I would say can be dangerous, its all you need to start sniffing your network. This port calls for udp and tcp (Truly Global Port). Sounds like they will be replicating a machine. I would put the machine on the DMZ and control access with a firewall. I have had app developers access machine I have put on the DMZ where we were co-developing. Also for demo access from shows. This would allow a public IP mapped to it, and open up the port they requested. But never into the corporate / secure zone.
    0 pointsBadges:
    report
  • Stuntz
    Thank you again for each of the responses I have received. I have put this machine in the DMZ and limited access to it through the firewall. It is no longer part of the local network.
    0 pointsBadges:
    report
  • Walterjo
    Allowing access to any part of your network is a huge security risk as has been mentioned and should only be done in special situations and under increased scrutiny. As for the daily updates to the software, as a software producer, they should have some way of updating the software so you, as the client, can setup a schedule that will check and update the software on a consistant basis. No need for server access at all. I am not sure why for this purpose access by the vendor would be needed at all.
    0 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following