VPN from Company to Company

[FaiTHLeSS]

Hi All,

We are a medium sized company in the health sector. Now some of users do joints projects that require them to access systems at another company in this case a University as part of the project.

Now the only way for them to connect is by VPN to the University system, the systems they are accessing are web base system. Site VPN isnt an option, vpn client has to be installed on the client machine and they connected from there.

Currently at the moment we have a separate network the users can plug a laptop into and connect to this other network via VPN, but now they want more people to access the other systems not on our network and they want to do it from their main PC's on our main internal network.

Now we don’t want to allow this as its just creating holes in our firewall to allow X amount of users to be allowed to connect out. Plus the risk of something being downloaded back through the connection on to our network. If anyone can suggest other risks of allowing this.

What we would like is other people’s opinions on this should we allow this to happen or should we just out right say no, but we have to have a lot of information to back this up for our senior management if we don’t we will just be told to open it up as much as we would hate to do it.

Thanks

 

[jet042]

Point to HIPPA and say, "The Feds say we can't do that."

More seriously, though, your concerns over the security of your network are valid and well-founded. Even with a secure and encrypted connection to the VPN, your network is only as secure as its weakest link. If you are allowing access to your LAN from an external site, as you would be if you opened up VPN access directly to these user's main computers, you lose the ability to even know if you are secure or not.

You already have what I would suggest in place with the separate network. You might try expanding it to a few workstations that have all the software these users need to analyze and work with the university's data already installed, but allowing direct access to your main network needs to be fought tooth and nail. If your upper management requires you to allow it, get it in writing and make sure you start off by saying you think it is a bad idea but they are overriding your recommendations.

 

[FaiTHLeSS]

Hi

Thanks for the reply, we are based in the UK so dont think we can use HIPAA law and guidelines but will look into it more to see if there is any UK/EU law that covers the same sort of things.

Being a registered charity cash flow is always limited so getting extra work stations can be a problem along with providing space to put them. This was one of the ideas i already came up with using laptops/extra PC's to support this but would be costly but other side of it is what is the cost network security worth.

Getting management to see this is not always a simple process.

 

[jet042]

You could, I guess, point to HIPPA and say, "Even those stupid Americans think this is a bad idea." If, you know, you run out of other options.