cancel
Showing results for 
Search instead for 
Did you mean: 
Create Post

Supporting the Vendor

Level 9

Over the last three weeks my posts have focused around end users and remote support tools. This time I want to focus on vendors. In theory you should love your vendors that you work with, there are an extension of your IT team.  I know there are the new vendors trying to get new business and most people try to avoid them like the plague but there is an expectation to every rule. Most vendors have a genuine interest or at least in my mind of benefit of seeing their customer succeed.

One thing that can make or break a vendor relationship is remote support. Some vendors have remote support enabled on their systems so they can go directly to the box in question. I am a big fan of this but the paranoid folks are worried that security may be at risk and usually don’t allow it.  I know for Nutanix gear you can set a timer on how long you want the remote tunnel to last. It’s a good option if you’re worried about a vendor using his equipment as jump box.  I think if you’re dealing with a global company this option is great to help remove some of the language barriers that may exist with follow the sun support.

If you don’t have the option above the next step is the dreaded Webex/GoToMeeting.  For whatever reason in a time of crisis you can be rest assured you will be downloading the newest client and maybe even playing with a java update. Usually ok but doing console work is usually problematic for the person trying to give support.  My big beef is that it gets people use to accepting remote connections. Humans are easily fooled, self included so if possible I think it best to control access on your own terms. If at all possible if you can extend your current remote tools to share your screen with the vendor I think that is ideal.

What do you do for your vendors so they can support your gear on site? Give them a virtual desktop and only give access to their system? VPN with full access? Let them use their own tools?

Curious to hear peoples thoughts and if people think of this a security threat.

31 Comments
Level 10

We typically use webex and/or conference call with Vendor support and have the vendor walk us thru troubleshooting.

Level 13

We've been happy with webex when necessary.  We can monitor what the vendor is doing and sometimes learn a few undocumented troubleshooting secrets.

Something I was very unhappy with a few lifetimes ago was remote support from WatchGuard.  Watchguard support would ask us to enable remote support on the appliance so they could look at the box directly rather than through the GUI we were forced to use.  This provided them a command line access to the box that we could neither monitor nor access.

MVP
MVP

several of our vendors use Bomgar which is a pretty good user experience. The download is preconfigured for the connection to the tech.

Its a single executable that needs no firewall ports open and defaults to screen sharing off.

So seems to work pretty darned well

Webex/gotomeeting when necessary...echoing others' statements here re being able to see what everyone's doing, etc.

Our helpdesk uses Bomgar internally to help folks off-net, etc. That's been quite useful from a support perspective.

Level 11

Depending on the vendor, we might have an on demand VPN for them, or we might use GoToMeeting or similar.  Many of our products have built in support tools, which we use, but restrict via firewall rules.  Finally, our major vendors have site to site VPN access which is controlled by enabling / disabling their login account in AD/Linux/etc.

As far as new vendors go, I really don't appreciate cold calls and / or blind emails, so generally those vendors go into the round file.  Chances are, if I need a solution, I know about it.  If your product is a top contender to fill a need I have, I'll let YOU know...

MVP
MVP

webex here....it allows you to control what they have access to and monitor what they are doing.

It also allows us to recreate and show them how an error occurs...which can be hard to describe and convey in a meaningful manner.

Being a financial institution, we have to make sure the vendor has no access to customer data. 

Regarding new vendors..cold calls and email subscriptions (blind emails, UCE) I never requested pretty much are a deal killer.  They don't even get out of the starting gate.

Domain gets added to vendor spam folder and an unsubscribe sent and logged.  Further reception of the UCE gets replied to with a snippet of the original with the unsubscribe screen shot and a cease and desist.

That usually works....

MVP
MVP

Another notch for Webex here as well. It's helpful to see what the customer sees as sometimes an issue reported in a ticket or email is different to what is actually happening. As Jfrazier above mentioned, access to customer data can be an issue so this allows the client to provide us access as they are monitoring what we are doing and can take control if the need arises

Some customers don't mind us having access to the network and provide VPN details that we can use whenever they have an issue or request changes. We can then RDP direct to the box. Other clients have higher security and don't allow remote access at all (including web) so we have to go onsite and work from a provided desktop.

For a lot of our Cisco support we have VPN and console access to the network equipment and servers, although some customers require Webex to use a system as a jumpbox.

Level 10

With day to day support we use Webex or similar products. For longer term support needs I've created specific virtual desktop accounts restricted to only what they should see and help support. I track when these are accessed to 1) make sure they're actually logging in 2) make sure nothing malicious is being done.

MVP
MVP

I've never had a problem with a Webex remote support session. For a while, I lived my professional life in Webex.

Of course it's a security risk. You can mitigate that risk, but you can't know the security of the other end of that session. You'd need security controls and monitors in place, along with an isolated segment to restrict that remote session to only the hardware that the vendor is authorized to access.

The virtual desktop approach is a good one, granted you have the controls in place to isolate the vendor. And it's easy to terminate access with this type of solution.

Level 7

It really depends, if this is a vendor we have contracted work from we usually give them VPN access and control what they can get to via ACL's. In the case of remote support for an application or equipment we usually utilize the application that the vendor uses for remote support and control access from our desktop. I have to admit that I have had some bad experiences with some of the software being used. I can think of one recent support call where the vendors tool would not do a copy/paste so I ended up doing it for the vendor. It made for a very long support call.

Level 13

<Soapbox>

In general, I don't believe it's a security threat, but in specific situations it definitely is. My biggest issues are undocumented back-doors and default support passwords. Sure it makes it easier for the vendor's techs to support your software or hardware if they don't have to lookup or ask you what password was set on the device, but seriously...

Even after saying "Don't Do that!" we found a log-me in account on a virtual support desktop on one of our VMs installed by a vendor. Really? No. "Bad Vendor", "Bad Vendor, I said No!", "No treat for you!".

And we spent hours cleaning up default vendor passwords on a dozen or so accounts when we had our Cisco Phone system installed. My first question is "Why did you need THAT many admin accounts on the system for individual processes etc...?"

I'm a fan of solutions like Web-ex though, and I'll concede that probably not all vendors are bone-headed. Though I believe and have experienced that enough of them are that an IT guy like me is armed with dozens if not hundreds of "Default" passwords for all kinds of vendors and all kinds of equipment. And I scare myself. What if I wasn't me? Could I use that knowledge for malicious purposes? Would I? I know someone would...

Foot Note: I'm mostly talking about support passwords here, not your typical default equipment passwords that we should all be changing anyway, but those are dangerous too, especially in the hands of some of yesterday's network admins, so convinced that their firewalls are impenetrable, that internal network security is a joke to them.

</soapbox>

Level 9

I work at school district as a network specialist. I mainly use WebEx/GoToMeeting to let support tech person to troubleshoot our networking equipments, with that, I can watch and learn. Using SecureCRT, log in with my credential to the device. Change my password once every 90 days. This I can control.

But, here we have all kind of vendors. Vendors who fix freezers, AC units, alarm systems, solar panels and some other networked stuff that I might not aware of. Now I need to find out how to secure our network vlans tighter, so there will not be a data breach like the famous chain store. 

Level 9

When going the VDI route we had RDP icon on their desktop so they could get to where they needed to. We never really did do a great job of locking down the networking though.

Level 9

All for changing the default passwords but now that I work for a vendor I love when they are the same :-). Though I would never log into a system without notifying the customer due to not know what could be running. I am not a fan of ending up in court.

Level 9

Video Conferences & WebEx/GoToMeetings. Never been a fan of letting an outside organization have remote access to any equipment without being able to follow step by step what they are doing.

Level 10

Working as a government contractor, this is not an option. We must disable all remote/call home features. Even on classified or stand-alone networks, the paranoia carries over here too. Our vendor has to come on site to provide any support.

Level 13

You wouldn't, and I understand that... But do you trust me? I don't work for you, I don't even work for the same company as you.

How many of your customers' systems could I infiltrate because I have access to a privileged account due to a default password that I know you use everywhere?

Level 10

Lync Voice baby.

Level 17

Webex if we dont have a Site to Site built out for them. It's sufficient, but I do like Lync better than that.

Anything where I can see what they are doing.

Our newer vendor VPN solution logs each keystroke and mouse click; this system of course they just log in and go... not much more than phone interaction, or lync if they are good about communication and sharing fixes/preventing breaks.

Level 9

Webex all the way aswell....

Level 11

webex all the way as well, I like to know what the support guys are doing, esp if the issue is a reoccurring one, it makes the troubleshooting process easier

and for our trusted 3rd parties Citrix access gateway is the way to go with sms tokens

Level 21

Most vendors I work with already have their own remote tools to support my applications, etc.  If they don't I use GoToMeeting, after having such great experiences using it with SolarWinds support I had our company sign up for it.

MVP
MVP

Most of it is achieved through Lync for calls in here

Level 12

As a vendor, coming from the other side, I primarily use GoToMeeting.  The occasional client will provide me with VPN access.  From there, I've had some lock it down so I can only get to the hosts needed (sometimes less) and then I've had some leave it wide open for me.

Level 11

We have given certain users access to our network, either through direct VPN or a Citrix log in to our systems. If it is a company that have neither and we want them in we will set up a teamviewer or webex session or something like this

Level 13

I have spent countless hours on webex or goto meeting as the vendor and as the person booking the vendor.  These collaboration tools have changed the way business is handled.  Good stuff!

Level 13

We just started using LogMeIn to provide remote support to our users.  Or let me say, our IT staff does this. 

Level 10

I have used several different platforms in the past from VNC, LogMeIn, join.me, WebEx, to Dameware, and Bomgar. Personally I think they all have their place. I liked LogMeIn, Damware, and Bomgar the most. I really, really like Bomgar for ease of use, features, and how secure it is compared to the others. Bomgar does come at a price though.

Level 12

Lync voice sevier.toby..., Skype calls, webex sessions....

Level 9

Webex all the way

Level 15

webex and logmein seem to be the popular with our IT staff.  Not much of a fan of allowing outsiders in without being able to audit what they are doing and where they are going.