An outside vendor is contracted to maintain our Unity & CallManager servers. For this they want to set up monitoring.
They propose to put a router on our network, and establish a site-site VPN inside our network.
I'm not particularly comfortable with this, but I have to look collaborative, can-do, the opposite of roadblock. And, in truth, it does seem like similar arrangements are regularly set up between partner companies, so maybe it's just a matter of me getting educated enough about things.
I have 3 ideas as to how I can participate in a way that keeps our network safe and auditable, about which I'm hoping to get feedback, comments, suggestions.
#1) Have their VPN land on a Vlan dedicated to them. Set up ACLs to allow traffic from that VLan only to the specific servers they are monitoring. I don't know if that would be sufficient access - Maybe they need access to all the telephone subnets? That may not be known in this forum.
#2) Static nat the servers through our PIX, so they can get their monitoring traffic over the internet. But I don't know as yet what kind of traffic that would be - could be clear text, could be sensitive.
#3) Discover some "best practises" information that shoots down the whole idea.
Any ideas/thoughts will be most welcome!