Problem solve Get help with specific problems with your technologies, process and projects.

Opening firewall for contractor

A contractor wants us to open our firewall so he can use our network and our Internet connection to virtual private network into his corporate network for e-mail, etc. What exposure do we have?

This is somewhat dependent of the virtual private network (VPN) and firewall being used. However, to answer this in general, you are increasing your exposure any time you have to open firewall ports. If you only need to open "outbound" connections, the risk is fairly minimal. If you also need to open inbound ports, the risk may be somewhat greater, depending upon whatever other security measures are in place.

Is it possible that the contractor can use a connection to the Internet that is outside of the firewall? Perhaps the contractor can position his connection such that his machine is between the router leading to the Internet and the corporate firewall. The VPN would then not need any ports opened on the firewall.

There might be other issues to prevent that. For instance, if your firewall is doing Network Address Translation (NAT), any terminal outside the firewall will not benefit from that. So, the terminal will need a valid public IP address, not a private IP, as can be issued behind the firewall. The terminal outside the firewall will also have access to your corporate network controlled by the firewall the same as any other computer on the Internet. If the contractor needs access to both, you might consider dedicating a terminal outside the firewall just for e-mail via the VPN and let him continue his other activites from his normal locations.

This was last published in August 2001

Dig Deeper on Information security policies, procedures and guidelines

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.