Comments on: Exposing an IP Address

By: walterjo

walterjo — Sun, 08 Jan 2006 12:05:13 +0000

Allowing access to any part of your network is a huge security risk as has been mentioned and should only be done in special situations and under increased scrutiny. As for the daily updates to the software, as a software producer, they should have some way of updating the software so you, as the client, can setup a schedule that will check and update the software on a consistant basis. No need for server access at all. I am not sure why for this purpose access by the vendor would be needed at all.

By: stuntz

stuntz — Thu, 05 Jan 2006 18:39:14 +0000

Thank you again for each of the responses I have received. I have put this machine in the DMZ and limited access to it through the firewall. It is no longer part of the local network.

By: paul144hart

paul144hart — Thu, 05 Jan 2006 17:09:51 +0000

Even accessing a single port I would say can be dangerous, its all you need to start sniffing your network. This port calls for udp and tcp (Truly Global Port). Sounds like they will be replicating a machine. I would put the machine on the DMZ and control access with a firewall.

I have had app developers access machine I have put on the DMZ where we were co-developing. Also for demo access from shows. This would allow a public IP mapped to it, and open up the port they requested. But never into the corporate / secure zone.

By: ursulus

ursulus — Wed, 04 Jan 2006 16:19:27 +0000

Hi!
I’m not surprised you feel uncomfortable about this access but you haven’t given enough detail of just what the vendor wants.

If he needs desktop access to the server then setting an RDP connection through the router is probably the simplest. I don’t usually use a VPN connection but rather configure the router to pass the RDP port, usually 3389, through the firewall to the server in question. If the vendor has a fixed IP address which you can use on the router to limit access on the 3389 port, all the better!

It boils down to how much you trust the vendor because you are giving them significant access to the network.

Happy New Year!

Malcolm

By: drillo

drillo — Wed, 04 Jan 2006 12:24:27 +0000

There is a lesson in there for all of us…..NEVER take the word of a rep….this is just asking for trouble. I always, always talk to the guy that wants the access.

Best,
Paul

By: drillo

drillo — Wed, 04 Jan 2006 12:24:27 +0000

There is a lesson in there for all of us…..NEVER take the word of a rep….this is just asking for trouble. I always, always talk to the guy that wants the access.

Best,
Paul

By: stuntz

stuntz — Wed, 04 Jan 2006 09:19:48 +0000

Thank you all for your replies. Today I spoke with the Network admin from the vendor and was told they only need port 1223 open and the sending IP address. The client software will be listening on port 1223 for the updates. Wouldn’t the sending IP address be the static IP of the router? The rep I spoke with earlier mentioned they needed complete access to the PC which in fact they do not.

By: atomas

atomas — Wed, 04 Jan 2006 09:06:34 +0000

Let people come in your network only under a controlled environment. Can be done with VPN but try not to use MS VPN (Use for example SecuRemote with Checkpoint but I see you have only a router) and manage the authorized traffic. Use static NAT with specific inbound rulebase.

Dan

By: petroleumman

petroleumman — Wed, 04 Jan 2006 08:54:32 +0000

Hello,

This request could be concieved as suspicious, but is actually a more common request than you may think.

Configure a VPN and lock down the vendors access that way. You should be able set access to a single machine and restrict what he/she can and can’t do from that machine. We use a hardware VPN solution by Juniper that provides us with very granular control and have had no problems.

Consult the documentation for whatever VPN solution you have available to you to better understand it’s limits and capabilities from a security stand. Then test some configurations first before opening anything up to your vendor.

Also discuss your concerns with the vendor and set some sort of guidlines or rules for access. We use confidentiality agreements with any vendor or client requiring access through our VPN. This way you have something in writing to protect yourself legally.

Good Luck!

By: nephi1

nephi1 — Wed, 04 Jan 2006 08:37:04 +0000

The only time I have heard of a supplier wanting access to a machine that belongs to a company was when I was starting out in the IT field (professionally).

The local council where I worked allowed dial-in (IIRC) access to an OLD (about 10-15yr old, at the time) AIX machine that had a database and server functions on it. Even then the machine didnt really have much network capabilities to talk with the windows machines.

I do agree with the previous 2 replies, why would the supplier need access to your machine.

The only reason I can think of is if it’s a “test” platform for the software and the supplier knows its going to be buggy. And for me, if I was been a guienea pig, I would have that machine on it’s own network with explict access only and everything else would be denied.

Well that was my 2 bob worth.