Slashdot Mirror

← Back to Stories (view on slashdot.org)

Protecting Your Enterprise Network from Vendor App Servers?

Posted by Cliff on from the deny-the-errant-app-servers dept.

anomaly wonders: "I work for a company with a large IT infrastructure. We have lots of applications in our environment. For a number of applications, vendors provide the apps, and provide core support to those app servers. Our vendors are notorious for demanding superuser access to the boxes that support their applications. To protect our enterprise network from attacks allowed in by well-meaning but less-than-perfectly-competent vendors, we have set up a quarantined network for each vendor. This works well when the model is ASP-like and all of the components live on a single box, but fails when the application needs to be connected to one or more enterprise applications (RDBMS, smtp, they want backup, etc) or when it needs to be connected to lots of target systems inside our environment on lots of different ports. How can I restrict a vendor/application server's access to our enterprise network while still providing platforms to make the applications productive for our user community?" "Frequently vendors can't restrict their applications to run on a limited set of ports. Most of the time they stare blankly when we want their application to run as something less than superuser.

Our biggest challenge is keeping track of all of the dependencies and managing what ports need to be allowed to which destinations. Of course, when security is tight our business-types say 'you're breaking my application.'

What can you suggest about how to provide access to applications, patch/protect the OS on the app server, and protect the enterprise network? What does your organization do?"

9 of 258 comments (clear)

  1. Consultancy by KontinMonet · · Score: 4, Funny

    Well... don't get EDS to work on it!

    --
    Did he inhale?
  2. contract by nes11 · · Score: 2, Funny

    Can you not just write a contract that holds them completely liable for all damages, losses, downtime, etc caused by that machine? Then give them the option of whether or not they need to be a superuser that badly.

  3. Re:Find a new vendor by Anonymous Coward · · Score: 1, Funny

    Seriously. If they want root, tell them to fuck off.

    and die.

  4. Re:Vendors are asshats by Anonymous Coward · · Score: 1, Funny

    you wouldn't believe the number of vendors I've had to beat off

    Dude...I bet your arm is *tired*. Was it good for them?

  5. Hi, I'm your vendor by Anonymous Coward · · Score: 1, Funny


    I'm your vendor. I need root for about a half an hour to fix some things.

    Also, I need your ATM card and pin number, I need to fix that as well.

    Don't forget to give me your house keys and please have your wife put on her negligee.

    I'm glad we have a meaningful working relationship.

  6. Several different possible solutions by postbigbang · · Score: 3, Funny

    1) write in to the SLA policy-- a SU agreement with liablity
    2) use (as mentioned) a L7 switch (Telena has one, too)
    3) give temporary access, and make sure you check for root kits everytime with a script
    4) tell your management just how expensive it is to have so many vendor's spoons in the soup and how potentially destabilizing it is to do this
    5) use smart token card access coupled to your own CA; Tie the proximity of the card via RFID to a pacemaker attached directly to the aorta. If they lose it, they die. Simple.
    6) partition roots across servers. Get an SNMP trap when they logon to keep track of them. Set a script against cron to send an additional alarm when they're on for more than a few minutes or upload more than a few megabytes through specific ports (indicating massive changes rather than remote control screen delta)
    7) ask for one of their children for hostage use

    --
    ---- Teach Peace. It's Cheaper Than War.
  7. A technique by Gyorg_Lavode · · Score: 4, Funny
    A technuiqe my work employed to get people to stop requesting things is to make some simple form to fill out to get what they want. But then require 2 or 3 signatures. (Their supervisor, their company sponsor or contact and their own.) Then you take 3 or 4 weeks to process any of these forms, (purposefully). And you deny half of them.

    Then you make your policy strictly exclusionary. And when they say "BUT I NEED THIS!", you say, "Ok, fill out a form 23" or whatever the form is. They'll learn quickly that they aren't going to get many of them approved and they'll start putting them in only when they really need them.

    --
    I do security
  8. Re:Shameless plug by jellomizer · · Score: 3, Funny

    No just threaten to call IBM global outsourcing. That usually gets the venders to play nicely. But if you Really get IBM inside your company you will reach new levels on non-productivity. Just because they manage the largest global corporations doesn't mean they are good.

    --
    If something is so important that you feel the need to post it on the internet... It probably isn't that important.
  9. Re:Find a new vendor by D'Sphitz · · Score: 1, Funny

    after they choke on their own vomitus maximus, of course.