VPN Security Dilemma

[Foo]

Here's an interesting scenario that keeps cropping up:

You've got a corporate network behind a firewall, fairly standard setup. An external company has a system within your network on one of your servers, and they want VPN access in to the server to carry out support work.

You can't trust an external company with unrestricted access to your network.

But they legitimately need access to the server.

What would be your approach to solving this? The best solution I've come up with so far is an on-demand VPN where the dial-in right is disabled for the user and needs to be enabled each time by local IT staff.

Ideas?

[^misantropia^]

Put it on a different subnet and adjust your firewall/routing table to keep it out of your main network? Might not be feasible in all cases, of course.

[+JuggerNaut+]

Put it on a different subnet and adjust your firewall/routing table to keep it out of your main network? Might not be feasible in all cases, of course.

this is how it's setup here for IBM/EMC

[Underpants?]

I wondered if this question came up elsewhere? We had a support team for some wacky (it was crazy i tells you) third-party database, a team which also happened to support competing firms all over the place! Well next thing you know, I gave them access to an slc terminal console profile that allowed only the bmc / serial port 1 access. I also dropped all routes outside the internal lan on the server, but that might very well have been utterly fucking retarded, looking back.

[Tormentius]

Put it on a different subnet and adjust your firewall/routing table to keep it out of your main network? Might not be feasible in all cases, of course.

I have to deal with the same issue at my main network and this was the solution. If its a Windows box they could also use RDP which alleviates some of the concern of a possibly compromised system connecting directly to the new subnet.