Vendor/Customer wants internet access

[dennisbbb]

This is all too common. A vendor or customer come in the premise, boot up their notebook, obtain ip thru dhcp, and connect to the internet. While online, they run their network sniffer to sniff internal traffic or scanner to see what's on your domain network.

My question is, is this generally allowed allow in your company? Do you get paranoid when someone outside the company is "inside" your network?

 

[Diancecht]

A couple of ideas.

The first one is why that hostile attitude towards poor consultants? We're "outsiders", "external", "strange people". I've been working at many offices, been connected to many networks in many clients in a few countries and everywhere I listen to the same song.

I have my laptop updated with latest security updates, from the OS and anti-malware software. I follow all security policies related to unkown attachments, secure and unsecure sites,I even encrypt my MSN converations.

And then I get to an office where the PCs are out of date, some of them infected (once all of them were), where people connect with a modem with telephone line to bypass proxy restrictions. And they say it's not secure that I can connect the laptop to the net!!

I got tired of arguing about this, so I just do what I need. Is it ethical to snif a network without permission? Well, it's for me, as long as I deactivated the promiscuous mode, I was just interested on a particular issue?

I know I may get into trouble, but I don't really mind. If a simple sniffer can get your data while surfing your online banking account, come on, change that account, they're laughing at your face. And do you really trust so much you're coworkers that you don't mind them sniffing your traffic but you do when it's an "outsider".

Now, and back to the point. At my home office, anyone can get there and connect to the net. It's supposed that everyone that gets there can work, and we need the net to work.

Worried about sniffers? Secure your transmissions. Don't forget that the Internet is out there and anyone can connect a sniffer anywhere. And don't forget that your employees can use sniffers too.

Cheers,
Dian

 

[gbaughma]

Dian:

Don't misunderstand. I work full-time as a systems administrator/programmer, then do my own consulting business as well.

I think that the topic got diluted a little, and that's why I re-quoted the original post above. The onus was that someone (anyone) comes into the building, and without your knowledge, starts a packet sniffer. We weren't talking about a consultant that's in there to troubleshoot, we're talking about someone on YOUR network, without your knowledge, sniffing your network. I hope you see the difference.

If I needed to use a sniffer for whatever reason (or, for example, do a port scan for vulnerabilities), I let my client know that I'm going to be doing that. It's part of my job, and me doing a thorough job of consulting and security testing. *HOWEVER*, if I caught someone running a sniffer on my network that I manage, without my permission, that would be an entirely different story. If I hired a consultant to come in, and he said "Well, the easiest way to troubleshoot your <tech term> is to run a packet sniffer for a little bit and see where the bottleneck is", I would be fine with that.

This post was about *unapproved* sniffers running on your network. It wasn't about consultant bashing; it would never be about that, because I would wager that a high percentage of TT users are, in fact, consultants at one level or another.



Just my 2¢

"In order to start solving a problem, one must first identify its owner." --Me
--Greg

 

[Kjonnnn]

Yes. We always outsiders that need net access.

 

[AndrewTait]

At my previous employer, we traded on our integrety, and security, as a security print and cash handling company.

Therefore, no one was allowed to connect anything to the network without our knowledge. All unused ports on switches were software disabled, and cables were removed at the switch closet, not at the wall.

All patch leads were made to length, and therefore someone would need to move a pc to be able to use a lead of another pc.

There were a number of machines which were available for "guests" to use, and these were locked down so tightly, that they would not be able to do any damage from them.

If we had a consultant in from another organisation, they would be able to connect a machine to the network if absolutly necessary, but only after we had it on our test network, which had internet access, and they could prove all the latest updates had been applied, and we could check the machine over. Even then, they had to use it in the IT dept, and not in a general offices, and only when a member of IT staff were able to watch over them.

To some degree, it was a case of maintaining "jobs for the boys" as it had a very heavy overhead for the IT departments.

This was partly what made me leave, they started to reduce staffing levels, saying that this was over the top, but then someone else would come in and pull us over failure to adhere to company policy.

=======================================
So often times it happens that we live our lives in chains
And we never even know we have the key

Ne auderis delere orbem rigidum meum
======================================