Opening firewall for contractor
A contractor wants us to open our firewall so he can use our network
and our Internet connection to virtual private network into his corporate network for e-mail, etc.
What exposure do we have?
This is somewhat dependent of the virtual private network (VPN) and firewall being used. However,
to answer this in general, you are increasing your exposure any time you
have to open firewall ports. If you only need to open "outbound"
the risk is fairly minimal. If you also need to open inbound ports, the risk
be somewhat greater, depending upon whatever other security measures are
Is it possible that the contractor can use a connection to the Internet that
outside of the firewall? Perhaps the contractor can position his connection
such that his machine is between the router leading to the Internet and the
corporate firewall. The VPN would then not need any ports opened on the
There might be other issues to prevent that. For instance, if your firewall
Network Address Translation (NAT), any terminal outside the firewall will
benefit from that. So, the terminal will need a valid public IP address, not
private IP, as can be issued behind the firewall. The terminal outside the
will also have access to your corporate network controlled by the firewall
same as any other computer on the Internet. If the contractor needs access
you might consider dedicating a terminal outside the firewall just for
e-mail via the VPN and let him continue his other activites from his
This was first published in August 2001