0

Our firm is partnered with a smaller firm that would like to outsource part of their IT infrastructure to us. Specifically, they would like to use the same document management software that we do, and they would like us to host it for them. They would use Terminal Services to access it.

clarified:
Currently, each firm has a Cisco VPN network. We would be using dedicated servers for the task, not sharing what we already have. In that sense, it's basically co-location. Is there a way to provide them access to these servers without creating a mutual security risk?

It would be nice to include their servers in our nightly backup to tape, but I'm not against the idea of installing a new tape drive just for them if it makes the network configuration that much easier.

Nic
  • 13,025
  • 16
  • 59
  • 102

2 Answers2

2

I agree with MikeyB's thought, but not his next step.

The real question is: how do we let customer X use service Y in such a way that it doesn't expose us or them to security risks?

If you are going to share access to a service, that service should probably live in a DMZ that can't access anything else; you would then build access rules and/or VPNs to ensure that this was the case. If this service requires access to internal resources (ie file servers, Active Directory services, whatever) then this can get tricky, but it isn't impossible.

David Mackintosh
  • 14,223
  • 6
  • 46
  • 77
  • +1: Good advice - the best thing to do would be to isolate those servers somehow. – MikeyB Oct 21 '09 at 01:19
  • I've clarified the wording of my question. A DMZ sounds like the right way to go about doing this. How hard is it to set up multiple DMZs? – Nic Oct 21 '09 at 03:41
  • Depending on the firewall device you have, it could range from trivially easy to impossibly hard. :) Or you could build a Linux-based firewall and do it through iptables rules, a prospect which is somewhere in the middle. – David Mackintosh Oct 21 '09 at 12:36
1

You're thinking about it wrong.

If you ask the question "Can we connect our networks via a VPN such that they have access to our document management system?" then the answer is yes, that's easy to do.

If you have Cisco on both ends, then you probably just want to setup a site-to-site VPN.

MikeyB
  • 38,725
  • 10
  • 102
  • 186
  • Wouldn't a simple site-to-site VPN allow their workstations to see our servers, and our workstations to see their servers? I'd like to avoid that if possible. – Nic Oct 20 '09 at 19:42
  • Modify your transform sets or firewall rules to only permit RDP traffic from their site to your servers as appropriate. – MikeyB Oct 20 '09 at 19:50
  • ACLs limiting RDP traffic to the terminal server don't prevent the terminal server users acting on the terminal server itself. – David Mackintosh Oct 21 '09 at 00:09
  • True, but if you don't trust them to be on the terminal server, you shouldn't be letting them on in the first place. – MikeyB Oct 21 '09 at 01:17