Locking down vendors
-
Teleport may be a good option here. They have MFA baked in.
Nebula might also work, I'm not sure if they have MFA or not.
-
@dashrender said in Locking down vendors:
The HVAC system does require some type of VPN as management systems are definitely not hardened to be placed directly on the internet for access.
My plan is to use ZeroTier for remote access. One advantage of that is I can easily limit the number of stations the vendor can use to access our systems, the PITA part is if they need to use a tech who normally doesn't have access, the vendor now has to reach out to get them setup - which is a PITA for a temp type access.
thoughts on this?Honestly my thought on this is "why the hell are you using an HVAC vendor with that kind of problem?"
Problem: They choose what to deploy. But the thing that they deploy does not meet their needs. Instead of figuring out how to do they job that they want done, they expect you, the customer, to do their job for them. Then they also lack the internal IT controls to have a central user control system, so they also expect you, the customer, to engineer a solution for that, too.
Basically... they aren't even trying and aren't willing to participate in having a secure platform for work they want, not that you want, and you have to expose your systems dangerously for them.
How the heck did they get past decision makers?
-
@pete-s said in Locking down vendors:
ZeroTier doesn't sound like the best tool for the job though.
It'll do it, just extra work to lock it down in the way that is more default for something else.
-
@pete-s said in Locking down vendors:
@dashrender said in Locking down vendors:
My plan is to use ZeroTier for remote access. One advantage of that is I can easily limit the number of stations the vendor can use to access our systems, the PITA part is if they need to use a tech who normally doesn't have access, the vendor now has to reach out to get them setup - which is a PITA for a temp type access.
If you don't want your login, passwords and what not distributed among many people, it's important thing is that give access to a person at a vendor and not generic access to a company.
We deal with this a lot as a vendor and access credentials is always given to a single person and not the company. If someone else needs access that person also need their own credentials.
This should always be the case. It should also be the vendor managing it.
-
@dashrender said in Locking down vendors:
@pete-s said in Locking down vendors:
@dashrender said in Locking down vendors:
My plan is to use ZeroTier for remote access. One advantage of that is I can easily limit the number of stations the vendor can use to access our systems, the PITA part is if they need to use a tech who normally doesn't have access, the vendor now has to reach out to get them setup - which is a PITA for a temp type access.
If you don't want your login, passwords and what not distributed among many people, it's important thing is that give access to a person at a vendor and not generic access to a company.
We deal with this a lot as a vendor and access credentials is always given to a single person and not the company. If someone else needs access that person also need their own credentials.
uh - what? that one guy can do anything he wants once he leaves your presence. He could hand the password to anyone. You hope they don't of course.
You have legal recourse when they do that.
-
@scottalanmiller said in Locking down vendors:
@dashrender said in Locking down vendors:
The HVAC system does require some type of VPN as management systems are definitely not hardened to be placed directly on the internet for access.
My plan is to use ZeroTier for remote access. One advantage of that is I can easily limit the number of stations the vendor can use to access our systems, the PITA part is if they need to use a tech who normally doesn't have access, the vendor now has to reach out to get them setup - which is a PITA for a temp type access.
thoughts on this?Honestly my thought on this is "why the hell are you using an HVAC vendor with that kind of problem?"
Problem: They choose what to deploy. But the thing that they deploy does not meet their needs. Instead of figuring out how to do they job that they want done, they expect you, the customer, to do their job for them. Then they also lack the internal IT controls to have a central user control system, so they also expect you, the customer, to engineer a solution for that, too.
Basically... they aren't even trying and aren't willing to participate in having a secure platform for work they want, not that you want, and you have to expose your systems dangerously for them.
How the heck did they get past decision makers?
When this system was put in two+ years ago - the vendor of the day setup their own network, their own firewall, their own access solution. I just had to provide them access to the internet.
We've left that vendor (sorta - apparently only left them for preventative maintenance, but not software support). The new vendor wants remote access to the software to allow for remote troubleshooting. They MIGHT have an internal team for this, but since we have our own IT department, my management has decide to take the costs internal versus paying the new vendor to set up remote access for themselves.
-
@dashrender said in Locking down vendors:
They MIGHT have an internal team for this, but since we have our own IT department, my management has decide to take the costs internal versus paying the new vendor to set up remote access for themselves.
That doesn't really make sense as this is all questions about THEIR IT. All your team can do is get in the way
-
@scottalanmiller said in Locking down vendors:
@dashrender said in Locking down vendors:
They MIGHT have an internal team for this, but since we have our own IT department, my management has decide to take the costs internal versus paying the new vendor to set up remote access for themselves.
That doesn't really make sense as this is all questions about THEIR IT. All your team can do is get in the way
I don't follow:
NTG does support for clients that only want you to touch specific things - they don't want you to come in and setup a special network just for those things.. so their IT sets up some type of access for those things.
Not sure how this is different? -
@dashrender said in Locking down vendors:
@scottalanmiller said in Locking down vendors:
@dashrender said in Locking down vendors:
They MIGHT have an internal team for this, but since we have our own IT department, my management has decide to take the costs internal versus paying the new vendor to set up remote access for themselves.
That doesn't really make sense as this is all questions about THEIR IT. All your team can do is get in the way
I don't follow:
NTG does support for clients that only want you to touch specific things - they don't want you to come in and setup a special network just for those things.. so their IT sets up some type of access for those things.
Not sure how this is different?That's not really how any customers work as that would be expensive and super impractical (and almost universally, internal IT gets security horribly wrong and would expose themselves and us through their bad practices.)
Every real world customer that we deal with asks us what to do and we provide the tools. Because we have to manage the authorization, revocation, promotion, vetting, and such of our team, who they report to and so forth, we have to have the ability to manage the users and determine what level of our access they can have. The customer doesn't have the necessary visibility to manage security needs.
Letting the wrong IT department handle it risks things like VPNs, shared accounts, shared passwords and so forth because you are asking the team lacking the necessary access and visibility to try to manage a team that they don't know about or control. And it breaks workflows. NTG has workflows around hiring, firing, promoting, job role changes, emergency access and so forth, that are normal, regular, and secure. But a customer can't have that with our staff.
For a customer to do this effectively with us (or any outside vendor) you'd have to build out such a ridiculous about of infrastructure to be secure, that's almost never used because it's part time. It just doesn't make IT sense.
-
@dashrender said in Locking down vendors:
they don't want you to come in and setup a special network just for those things
BECAUSE we manage IT, we don't manage dumb devices that need a dedicated LAN to manage. If we were managing non-IT dumb devices, OF COURSE they would want us to to that. It's the only logical approach to this under normal circumstances.
-
@dashrender said in Locking down vendors:
Not sure how this is different?
LOL, I'm not sure how it compares.
It's different in what we manage is totally different. And it is different in how everyone approaches. And we manage customer systems, not our systems.
All aspects of it, other than that we are a vendor and we have customers, is the exact opposite. It's about as polar opposite of an example as you could think of.
-
@scottalanmiller said in Locking down vendors:
@dashrender said in Locking down vendors:
They MIGHT have an internal team for this, but since we have our own IT department, my management has decide to take the costs internal versus paying the new vendor to set up remote access for themselves.
That doesn't really make sense as this is all questions about THEIR IT. All your team can do is get in the way
Right, I have no idea WTF you think you are doing here @Dashrender.
The most you should do is setup a VLAN or actual separate LAN with no access to your network. The other company can deal with putting something on this shit old device that reaches to their support infrastructure.
-
@jaredbusch said in Locking down vendors:
@scottalanmiller said in Locking down vendors:
@dashrender said in Locking down vendors:
They MIGHT have an internal team for this, but since we have our own IT department, my management has decide to take the costs internal versus paying the new vendor to set up remote access for themselves.
That doesn't really make sense as this is all questions about THEIR IT. All your team can do is get in the way
Right, I have no idea WTF you think you are doing here @Dashrender.
The most you should do is setup a VLAN or actual separate LAN with no access to your network. The other company can deal with putting something on this shit old device that reaches to their support infrastructure.
No one on there side has even breathed a word about something like that.
As I previously mentioned - the old HVAC vendor did all of their own management - I only provided them an internet connection, they managed everything else.
I can see the advantages of that - time to toss this at the new vendor similarly.