should we let consultants plug into our network?  Should we let people
inside our firewall without installing our corporate virus protection
software?  Where can I find white papers to use a guidelines for a corporate policy?

---

Clarification of Question by fones-ga on 01 Aug 2005 10:27 PDT

We have 100 onsite users and 20 mobile users(laptops).  We are running
Win 2003 and Exchange 2003.  We have surfcontrol email/web filter
servers.  The Initial defense is a watchguard firebox.  We are running
McFee Suite Groupshield on the Ex2003.  All workstations run McAfee
virus defense, updated every couple of hours, monitored my Protection
Pilot.  We have a win 2000 server running a websphere app for online
ordering.  These new consultants preach but don't follow the prayer
book.  We had to open up the firewall to allow yahoo email and others.
 Had not done that for a while, to many things coming in.  I am
looking for papers/opinions that opening up the firewall to allow
these things can/will hurt.  They go to the hotel/home surf the web,
come back in and link up to our network.  Can't be safe.

Hello Fones,

The short answers to your questions are:

No (to consultant connections), No (connect w/o virus protection), and
none (white papers or policies) that answer your question, though I
will point you to several helpful documents that may meet your needs.

The longer answer will require some analysis and in addition, I will
outline some alternatives that may provide you the proper balance
between risk and reward for your situation.

To properly answer the first question (should we let consultants plug
into our network?), you need to answer questions like the following:

  Why do I want to have consutants plug into our networks?
  What are the benefits of a direct connection (to us and the consultants)?
  What are the risks of a direct connection (to us and the consultants)?

If the consultants have a specific task to perform (e.g., software
development, security analysis) that requires access to your internal
networks - I suggest you provide those consultants a desktop system
that is properly configured, monitored, and managed. I also suggest
you get them to sign some "Acceptable Use Policy" (AUP) - see below
for several good references - to help set the guidelines for use and
protect you if they step over the line. [the AUP should also emphasize
the need for virus protection - addressing your second question] You
may want to also conduct computer security training - the same as for
your employees. Make a "clarification request" if you need some
pointers to security training.

If the consultants need a high speed link to access the internet or
their home systems (without access to your internal network), there
are a few options:
 - wide area broadband wireless [see below]
 - setting up a "DMZ" for guests
Both of these solutions can "meet the need" if this is the type of
service you need to provide. The first one basically takes the out of
your hands - the consultants get access through a third party. The
second option gives you some flexibility on access and should be done
in conjunction with an AUP - the guest signon can help enforce that
restriction. If you don't know what a DMZ is, see
  http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_data_sheet09186a008010e5c7.html
for a description of several different network scenarios with and without a DMZ.

The solution that you use should be based on the level of risk / level
of benefits that you forsee. For an overview of firewall policies and
risks, see
  http://www.cit.cornell.edu/computer/security/seminars-past/firewall-aug01/
or for the more nicely formatted version starting at
  http://www.cit.cornell.edu/computer/security/seminars-past/firewall-aug01/sld001.htm
I can make some other suggestions on risk / reward analysis if you need it.

Based on what you described (I asssume something like...)

  Remote Users -- Internet -- Firebox -- Internal servers / Internal users

it may be possible to set up something like this:

  Remote Users -- Internet -- Firebox -- Internal servers / Internal users
                                 +--VLAN-- Consultants

where the VLAN and Firebox configuration (see the white paper at)
  http://www.watchguard.com/infocenter/whitepapers.asp
(near the bottom, titled "Using Virtual LANs to Get More From Your Firewall")
will allow your consultants access to the Internet and keep them off
your internal servers and protect your internal users.

For more information on specific references [and to help answer the
third part], see

Acceptable use policies - use search phrases like
    "acceptable use policy"
    corporate "acceptable use policy"
    "acceptable use policy" -ISP -university -hosting
  http://www.itcdeltacom.com/internet_use_policy.asp
  http://www.doi.gov/footer/doi_aup.html
  (note - many references are for universities, internet service
providers - I tried to find some that were more directly applicable to
your needs)
  
Wide area broadband information can be found with search phrases like
  wide area broadband wireless
to find suppliers like
  Verizon - http://www.verizonwireless.com/b2c/mobileoptions/broadband/serviceavailability.jsp
(this is not an endorsement of their service, just a pointer)

"guest" access references can be found using search phrases like
  firewall guest access
For example,
  http://www.devicescape.com/docs/smap/AdminGuide/Guest.php
describes how to set up a wireless access point to allow guests access
to a separate LAN (with access to the Internet) while allowing your
employees secure wireless access to your internal network. If you give
the consultants wired access - you could set up your wired routers to
provide a similar VLAN (or wired LAN) to the Firebox.

If some part of the answer is incomplete or unclear, please make a
clarification request and I would be glad to expand on the answer.
Good luck with your work with your company and the consultants you
have to deal with.
  --Maniac

You might want to provide a few more facts to help the researchers
compose an answer for you.

1.) What type of business is your company?
2.) How large is your company?
3.) How strict is your current security setup and what is currently in place?

Speaking from personal experience as an IT consultant for a few years,
I've been places that did allow me to plug my laptop into their
network and others where I had to use the phone line for any internet
access I needed.  It was never a hindrance to not be able to connect
to the network, as long as I was given a desktop PC to use within the
company network with the ability to use a zip disk to transfer files
to and from that PC.

I am no researcher, but my advice would be to keep all non-company
laptops off your network or if they must be on your network keep them
behind very strict firewalls and proxies.

Keep in mind that, depending on the industry, it can take a company
several years to build up a good reputation and minutes to ruin that
reputation if a major security breach occurs and is posted publicly.

Best of luck!

I have to agree with Deleware on this one. I am in Network Security
for a financial company. We do NOT allow any machine that is not built
by us on to our network. The implications of having just one vendor
introduce a virus/worm into our environment and possibly take down a
trader or two are too much to balance the inconvinence of asking a
vendor to use one of our laptops to access the internet.

One trader being taken offline for even just a few minutes could cost
our firm millions.