how much of a security risk is allowing a 3rd party to manage print services on a classified network?

how much of a security risk is allowing a 3rd party to manage print services on a classified network? More importantly they are saying that it will be required to disable all windows based snmp's (which I use to monitor network health). Im overly concerned by the fact they will have 'un-metered' access to my network under the guise of managing their printers. And its not really xerox as much as its 3rd party contractor who will be doing the work. they are needing open firewall ports, 3rd party applications, & direct connection in some cases. Im sure I am being a lil buggy (paranoid), but its necessary, but am I being over protective?
LVL 1
ID10TzAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

aadihCommented:
Any access to the network must be by appropriately security-cleared people (e.g., S, TS...).
0
Steven CarnahanNetwork ManagerCommented:
What exactly are they wanting to manage?  Do the printers belong to them or to your organization?  

We have a third party that performs maintenance on our printers and all we have is a small program that the printers report usage/errors to that in turn sends that information to the third party. The third party has zero ability to access the network since we originate all traffic.

By default printers use SNMP to send this information. Otherwise you would access them either via http or https.  

Perhaps I am not understanding the full picture.
0
Daniel HelgenbergerCommented:
In my opinion you are absolutely not overprotective.

You can't be too careful on classified networks. When they have network access and need 3rd party stuff - then they are basically inside your network and could do whatever they want with their stuff.

If this is wanted by management (i assume this) I would isolate all printers in a separate VLAN and firewall this; allowing no outgoing connections. If they need access to a computer there, you could also deploy a VM in this 'Print DMZ'. This way you can even continue to use SNMP and other health monitoring, since you can allow basically all incoming traffic in this VLAN

But - I think they need at least a domain joined computer; this in a DMZ makes no sense at all; your firewall will be swiss cheese.
0
Managing Security & Risk at the Speed of Business

Gartner Research VP, Neil McDonald & AlgoSec CTO, Prof. Avishai Wool, discuss the business-driven approach to automated security policy management, its benefits and how to align security policy management with business processes to address today's security challenges.

ID10TzAuthor Commented:
aadih:         understood and agreed
pony10us:   see attached pdf's
helge000:  I agree but cant do that. I think I am going to relay that they can receive any info rmation they need from one of the admins.
Xerox-Remote-Services-Security-W.pdf
Xerox-and-Information-Security.pdf
0
Steven CarnahanNetwork ManagerCommented:
The first document shows that you can set it up pretty much the same way that we have ours set up.  See section 3.2 Remote Proxy Apps.  We only permit the collection of the usage statistics. We use the print server to enforce enforce the policies.  

All communication is established one way from your organization to Zerox not allowing them access into your network.
0
gheistCommented:
How overbroad network access (requirement to disable SNMP) could relate to managing printers?
0
ID10TzAuthor Commented:
We have decided to not allow any access and the maintenance will have to be manual.
0
aadihCommented:
The best decision.  :-)

Cannot go wrong.
0
Steven CarnahanNetwork ManagerCommented:
Very good.  

As I stated, we don't permit them vendor access.  Instead we initiate all communication to send traffic.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
ID10TzAuthor Commented:
how do I reward this?
0
aadihCommented:
That's up to you.  Not the "experts." ;-)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Network Security

From novice to tech pro — start learning today.