Giving remote access via the VM, will compromise the network?

Question

I am currently working on a project for one of the organization and I have to install a new (server/client)software program.However, the software company would like to help and install for themselves to minimize any problems on our server.

According to the organization ICT rule, we couldn't give remote access to the outsider. They have suggested installing VM then give remote access to them.

However, I feel that even if we give remote access via VM, would they still able to access our network or it is possible to allow them?

Thanks.

Answer 1

If your VM has access to the network and they can use it unsupervised then they of course have access to your network. Also you really have to trust your VM-Product there.

What people do a lot (no judgement here) is isolating a machine using the Firewall/Packetfilter/Security-Gateway for "outsiders".

Anyways: If your companies ICT rules say, you cannot give remote access to outsiders you are pretty much given all information you need. Don't do it. You might run into legal trouble as well as all of the other problems that this rule was made up for.

Answer 2

You need to manage through your VM's vNICs, make sure you don't use a bridge adapter but a NAT one and with single NIC remove all routes to the network but the actual default gateway.

That being said, usually similar ITCs also have a no port forwarding policies so i'm wondering how you will expose the machine to the outside world, still if you are taking law in literal meaning and have already obtained legal permission, make sure to create a VPN between the guest and your customer's network, and using the virtual network manager you should statically define all routes to the virtual router to only be able to reach your company's default gateway.

P.s: Even if you don't give admin access to your customer, there are tons of local exploits that might be used to gain admin/root access, that will give them slightly better chances in reconfiguring the guest VM system, that is why you should focus on isolating the guest machine from the outside creating tunnels around its traffic. And this is for sure not an optimal solution.