Reasons not to give OUTSIDERS access to your firewall

Posted on 2003-03-10
Medium Priority
Last Modified: 2013-11-16
This morning an outside company who works with my company requesting to bypass our firewall to access a few systems that they are working on a project.  I'm looking to compile a list of reasons why I should NOT allow this outside company to access our firewall.

1. Lack of internal security measure.
2. Don't trust them
3. This is my only source of security measure
4. Have more than enough vulnerabilities

Can anyone give me some more good reasons why I should not allow this?

Thank you so much,
Question by:life014542
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions

Expert Comment

ID: 8104172
Well, if you don't trust them, that seems to be a good enough reason.

Accepted Solution

antimith earned 80 total points
ID: 8104234
hurry up and make a formal security policy that forbids it. haha, head on over to securityfocus.com, they've got some guides to write a good security policy, but you can just skim them and fake it.

When you meet with them or whatever about it, just hand them a hard copy of your security policy and your free.  they can't argue with official documents can they?It's 'out of your hands'.

Added to your reasons:

It's against our security policy.
Would be against the better judgment of our staff, who suggest you find another method.(another thing that kinda depersonallizes it)
A random guy on experts-exchange, probably along with a lot of other people think it would be dumb security wise. they should find another method or pay to have you upgrade your own setup.

Add to that, conditions to do so:

They foot the bill for a few extra things. i.e. A few new VPN routers and several hours of auditing by a leading security team. A few cases of beer, a new mini fridge, strippers, and the odd T1 subscription for a couple of months to counteract the bandwidth loss due to their network use.
LVL 24

Expert Comment

ID: 8104310
>  requesting to bypass our firewall
> Reasons not to give OUTSIDERS access to your firewall

I am not sure the question. These are different.

1) Letting them bypass, let's also the worms, virus, and bandwidth chokers, script kiddies in and out.   Not Good                 :-(

2) Giving them access, lets them kill time at your company expense reviewing all security options, so they can first complain that you have not done comlete job, at same time, they can make more security holes and exploit every hole they can to prove to management that they are needed, and in fact, should be paid more than ever. Get resume ready.            Not Good               :-(
 [eBook] Windows Nano Server

Download this FREE eBook and learn all you need to get started with Windows Nano Server, including deployment options, remote management
and troubleshooting tips and tricks


Expert Comment

ID: 8104528
Are your systems in the DMZ?  If so, you should be able to give them access (if you're forced to) without compromising security on your internal network.  If you don't have a DMZ set up, this would be a good opportunity to do so.

Expert Comment

ID: 8104552
Maybe a good question would be why do they want to bypass the firewall, why can they not get to what they want using the firewall?

Expert Comment

ID: 8105712
another good thing is do you have to support them and their connection to systems you have no control over...letting them access it is one thing, but if they have a problem you're on the hook for further support.

so another good reason is labor- is your boss willing to allow you all the time necessary for follow up support?
LVL 79

Expert Comment

ID: 8106215
The reasons not to permit it are many. So are the solutions.
First and formost, as already mentioned, create a written policy that is enforceable. If you permit someone into your network and you do not give them explicit instructions on what they are/are not permitted to do while accessing your network, then you open yourself up to litigation if they use your network as a jumping off point to launch an attach against another network.

One technical solution: install a VPN soluton so that they enter your network via secure VPN where you control all the options, i.e. access-lists for what they can/can't access, routes, Internet access, enforce personal firewall, enforce Anti-virus, and then have an audit trail for everything they touched while connected. Cisco has products for all of this.
LVL 24

Expert Comment

ID: 8206514
big ditto to:

rrhunt28> why can they not get to what they want using the firewall?

lrmoore>  have an audit trail for everything they touch..

Sounds rather suspicious, don't it? Why they act like university freshies who want to do other than the work they are supposed to perform?

Expert Comment

ID: 9153183
This old question needs to be finalized -- accept an answer, split points, or get a refund.  For information on your options, please click here-> http:/help/closing.jsp#1 
Post your closing recommendations!  No comment means you don't care.

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

For many of us, the  holiday season kindles the natural urge to give back to our friends, family members and communities. While it's easy for friends to notice the impact of such deeds, understanding the contributions of businesses and enterprises i…
Originally, this post was published on Monitis Blog, you can check it here . It goes without saying that technology has transformed society and the very nature of how we live, work, and communicate in ways that would’ve been incomprehensible 5 ye…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
There's a multitude of different network monitoring solutions out there, and you're probably wondering what makes NetCrunch so special. It's completely agentless, but does let you create an agent, if you desire. It offers powerful scalability …
Suggested Courses
Course of the Month12 days, 10 hours left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question