partner VPN?

linnea.wren · ‎07-24-2007

Hi,

An outside vendor is contracted to maintain our Unity & CallManager servers. For this they want to set up monitoring.

They propose to put a router on our network, and establish a site-site VPN inside our network.

I'm not particularly comfortable with this, but I have to look collaborative, can-do, the opposite of roadblock. And, in truth, it does seem like similar arrangements are regularly set up between partner companies, so maybe it's just a matter of me getting educated enough about things.

I have 3 ideas as to how I can participate in a way that keeps our network safe and auditable, about which I'm hoping to get feedback, comments, suggestions.

#1) Have their VPN land on a Vlan dedicated to them. Set up ACLs to allow traffic from that VLan only to the specific servers they are monitoring. I don't know if that would be sufficient access - Maybe they need access to all the telephone subnets? That may not be known in this forum.

#2) Static nat the servers through our PIX, so they can get their monitoring traffic over the internet. But I don't know as yet what kind of traffic that would be - could be clear text, could be sensitive.

#3) Discover some "best practises" information that shoots down the whole idea.

Any ideas/thoughts will be most welcome!

TIA...

mattiaseriksson · ‎07-24-2007

Linnea,

Basically nr 1 is your best option, but the use of VLAN is not recommended.

Instead of using VLANs and a L3 device with ACLs you should use a firewall to separate the traffic. Terminate the VPN on a DMZ in the firewall, or between outer and inner firewall, and set up tight ACLs to only allow management traffic to the internal network.

srue · ‎07-27-2007

the other problem is once they log in to your Unity/CM servers, how much access do those servers have to the rest of your network?

Jon Marshall · ‎07-27-2007

Hi Linnea

I agree with Steven that the key problem is not to bring them in securely but how you restrict what they can do once they are in.

If you are using a site-to-site VPN you filter the traffic allowed through but what sort of access do they need to the servers. I've faced similiar problems and have used a number of different approaches

1) Site to site VPN. The servers being accessed are firewalled from the rest of the network. Can work but it depends on what the servers are being used for. Firewalling some servers ends up with you opening so many ports on the firewall.

2) Client VPN with Securid. You can implement this so that if the vendor needs access they have to phone up for the securid pin number or you can hand out a certain number of pin numbers to the vendor. Bit more secure than site-to-site in terms of identfying third party.

3) Citrix secure gateway with SecurID for access to windows servers and applications.

In addtion IDS both network and host can also be used for further protection.

To be honest none of them are ideal. In an ideal world you wouldn't need to let vendors in but i've faced this issue in most companies i've worked for. And there comes a point when it is no longer a technical issue but a business/political one and it comes down to the agreement you've signed with the vendor.

That doesn't mean we shouldn't try to make things as secure as possible but you have to be realistic. It depends on the level of security needed by the company weighed against the loss of your voice system.

HTH

Jon