Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Please read - my butt is on the line


This may seem inappropriate but my butt is on the line, so please read on.

I have 2 developers who have domain admin rights in a windows 2000 environment. I discovered on Friday that these 2 have been creating a VPN tunnel to another companies network and having several machines on that network interact with one of our machines on the internal network.

I escalated this issue to our collective supervisor. I know what his response was and I also know what mine was.

I can guarantee that there is going to be a big turf war over this one and so I seek your oppinions.

Does this have the potential to become a large security issue?

Thanks all.

New Member

Re: Please read - my butt is on the line

It doesn't have the potential, it already is.


New Member

Re: Please read - my butt is on the line

I'd create a seperate domain/forest for the developers and get them out of mine. This way, you can control what they have access to in yours and still give them full control of theirs.

As for securit issues:

You also have to figure out if you can trust the developers to tell you what else they have done, let in, let out, etc. Eg, You secured your network. They opened the hole to their network and someone on their network had an unsecured access point giving free access to the 16 yr old with NetStumbler parked 1 block away.

Imagine spam going out your network and you get your IPs blacklisted. Imagine some email that defames a competitor goes out your network and you find your company in a lawsuite. Oh the possibilities!

Also, draft a contract for developers about such things and liability. Might not help the job but it'd give the company some recourse - maybe.

My $.02,


New Member

Re: Please read - my butt is on the line

Its a huge security issue. At my company there would be two developers escorted off site, never to return. With possible court action to follow.


Re: Please read - my butt is on the line

The bottom line is, "Is establishing a VPN tunnel to a third company and allowing access to machines on the internal network ok as per your corporate security policy?" Though it is not uncommon to see VPN's established between an organization and it's partners organization, it does loosen up security a bit. For example, many implementations are designed such that traffic from the VPN peer (which is considered to be trusted), bypasses the organization's firewall. It is keeping such facts in mind and also to clearly demarcate responsibilities, that security policies are drawn up. If what was done was consistent with the security policy, then there really exists no issue at all. If it is not consistent with the security policy, the developers are in trouble. If you have no policy at all, you need to asses the possible damage, bring it to the notice of the supervisor (make it official and keep a record) and get a corporate security policy in place asap.