IT Employment

General discussion


Non-Employee Network Access

By germain ·
I was hoping to start a discussion on best pratices for security concerns related to non-employees accessing a companies network resources while on-site. Vendors, partners, guests, etc. often require some level of network access when on-site at a company, whether it be Internet or some internal resource. The potential for data leakage is a concern as well as exposing the network to potentially poorly protected laptops. How do we let these people get to the resources they need, and yet ensure the security of the network. What types of policies are out there, and what technology is employed to enforce them?

This conversation is currently closed to new comments.

Thread display: Collapse - | Expand +

All Comments

Collapse -

Wow, you hit the spot.

by tbragsda In reply to Non-Employee Network Acce ...

This comes up often. I don't want anyone from outside the CO on my network, but its often a request from the top. Its hard to say no to guests of the CEO etc.

So what to do. A policies is a start, but can't do much. A DMZ segment for visitors is something I keep thinking about, but have done little to impliment. It would be easy to "turn on a port" in a conference room, or guest office when needed. For WAP, same thing.

Any other thoughts I would love to lissen to.

Collapse -

I suppose it all depends on

by HAL 9000 Moderator In reply to Non-Employee Network Acce ...

Exactly how big the business actually is. In my line of work where I only deal with small business I generally need access to any affected programs and data even though on first contact I always insist I want nothing to do with accounting programs they do seem to be the bulk of my work after network administration issues.

I get around this by handing any new clients a confidentially agreement and unless totally necessary never take any of my LT's into the place. But when it is necessary I only have the tightest available LT's loaded and never consider opening any of their data unless directly instructed. There have been cases where I've had to recover data from a crashed Windows OS that was not backed up.

While I always instruct and provide the necessary data backup systems that are required by a company I almost always see the recommendations never used. Maybe it's just my clients but I tend to think that they all seem to think I'm there to fix up their messes and just do not bother as it is too much work.


Collapse -

non-employee access

by bmarr In reply to Non-Employee Network Acce ...

I believe the solution to this problem would be to have multiple layers of IT and logistical control and security. I don't believe in "banishing" non-employees from connecting to company?s networks as some have suggested. In most cases, there is a true business value in allowing non-employees access to IT resources. The question here is how can that access be controlled and secured?
I?m a huge fan of firewalls. They control, block, and monitor better than most strategies today. The problem with a firewall is that it *usually* only protects networks from the outside (internet) and vice versa. If a non-employee user were to connect to the ?clean? side of an office network, they would have access to all of those internal resources because they won?t be passing through a firewall. Even if you put them on a DMZ, they can still port scan the entire DMZ segment and possibly find holes or information that you wouldn't want to be known.
What about companies with an enterprise WAN? If a vendor comes into a small office that is not in the same physical location as your firewall, how do you security their access then? Once they plug in, they now have full access to all of those resources at that office. One way around this is to put a firewall at each facility, but I believe the cost of that strategy outweighs the value and thus would be shot down.
Another strategy I?m a fan of is policies and procedures. A signature on a disclaimer form can be more powerful than a firewall. The problem with disclaimer forms is that although a vendor or non-employee user signs it, this doesn?t mean their machine agrees with it. What I am getting at is what if their machine has a virus or is infected with a worm that does port scans when connected to a network? Although the user isn?t intentionally causing the harm, the computer is.
In the end, I think the solution is to use a combination of techniques to minimize the risk of a security breach.

- Make sure you have a firewall (or IDS) and it is configured correctly. Although it can?t do much help on some internal segments, usually firewalls can detect virus activity/port scans which could lead you to the culprit.

- Have strict policies in place of non-employee users. Have disclaimers that must be signed before connecting them to the network. Maybe even have a procedure for the local IT staff to scan the non-employee laptop for suspicious activity (virus, network scanning tools) before connecting.

When it comes to this issue, there aren?t any proven best practices out there. There are good ideas and strategies but I think everyone is waiting for that ?smoking gun? best practice that makes both the non-employee happy and the company that they connect to secure.

Collapse -

Actually I have a bigger problem with the CEO's and the like

by HAL 9000 Moderator In reply to non-employee access

Wanting to access the company network from their "Home" computers which have bigger security holes in them than any non employees who works for a seperate company which is responsible for offering a service to a company. Maybe it's just my limited experience but from what I've seen so far the outside employees generally have a great deal of security already on any LT's that they carry with them for the very reasons that you have listed. They and their company just doesn't want to be responsible for do any damage while on site which they then have to repair at their own cost.

Because I work only with small business I tend to follow all the way through and not only limit myself to the work computer network but also anyone who connects to the work network to retrieve data or download data like a salesman who is constantly on the road and who only contact is a daily/weekly download of his data into the companies network. The CEO who just has to connect to the business network is a bigger problem to my way of thinking that any other as their home computers generally lack any form of protection or if it had any AV product it has generally expired. So my normal procedure now days is not only to limit myself to the company network to lock it down but also any one else who needs direct access. I've found potentially bigger holes in the network with these home computers that any I've found with outside workers who need to log on for their work reasons.

There is one program which worries me and that is a medical program that is upgraded by the makers about every 6 months or so. The set a time and then use PC Anywhere to remotely upgrade their program which contains patient information and all the other details required by the medical practice. While I understand why this is done I see it as a possible breach of Security just waiting to happen at some time. Or it could be that I just do not like the idea of PC Anywhere on these computers that have remote login facilities that need no interaction from the practice user.


Collapse -

Basic starting place

by glyn_canada In reply to Non-Employee Network Acce ...

Subnet them at your switch, attach a laser printer for anyone using that subnet and also allow restricted Internet access. What else do they need?

They have no business being on your network at all, but it is nice to offer them printing and Internet in case they can IMAP their email.

I must be getting soft in my old age.

Collapse -

Again it all depends on the size of the business

by HAL 9000 Moderator In reply to Basic starting place

If they are big enough to have a full time IT staff you may be a little easy as I do not see why they would need a printer or for that matter e-mail access. If it is for a specialized program that they have come out to either upgrade or do some fault finding on then it is obvious that they would need access to that program at the very least. As far as these type of people are concerned from my experience they have a job to do with unreal time constraints imposed upon them by their employers so they mostly just do not have the time or inclination to look too deeply into the system.

On the other hand I've seen cases of outside repairers steel data and sell it to the opposition for a profit. It is practices like this that I find reprehensible but in every case that I've run across this it has happened with a brand name computer from a chain store supplier who requires its return for any warranty work. From where I stand this is just not piratical and I even say to my clients that when it comes to HDD warranty there is no such thing as you just can not afford the data to get out of the company it is better to wear the cost of a HDD than run the risk of loosing control of the data.


Collapse -

DHCP and wireless

by sho_0ff In reply to Basic starting place

What about introducing DHCP and wireless on the external segment? good idea?

My boss presented me with that scenario. At first I was completely against it, but if we do not broadcast the SSID and use some sort of encryption, whats the big deal? Our internal corporate network and our public servers are still protected via the firewall.

Collapse -

One approach

by bdavidson In reply to Non-Employee Network Acce ...

I have setup a wireless access point for non-employees and specific data ports in the conference rooms for non-employees which are on the outside of the perimiter firewall. It gives them basic internet connectivity without any access to the internal company network. if they need to print there is a wireless printserver they can attach to for basic printing needs.

Collapse -

How is this configured?

by jhill1949 In reply to One approach

If I want to set up a seperate access point for non-employees to just have internet access, how do I do that? I admin a simple network containing a DSL modem, a netgear FVS318v3 VPN Firewall router and two linksys group switches.
I don't understand where to place the new accesspoint in relation to the router and switches. Do I also need to get another router to create the non-client net? How do I get the new router to share the DSL port?

Collapse -


by rossi224 In reply to Non-Employee Network Acce ...

you should check out MS forefront TMG.

Related Discussions

Related Forums