|reply to Bigpaddy_Irl |
Re: [Bus. Ops] Taking on an IT Support Tech
So in my experience, this is what I would do:
Authentication to each device is controlled via a central authentication server. In Cisco/Juniper land this would typically be TACACS. That way, there is a single (or perhaps two if using redundant servers) place where authentication can be controlled, meaning if you need to lock a user out, or change the password used to access your devices, you have minimal places to do it for maximal effect. TACACS can also log commands that are executed on the router, so you can review what has been going on.
Second, a central authentication server for logging in to PCs and servers in the office could also be employed. This could be the same server that is doing TACACS, and for *nix systems can be achieved with LDAP. This gives the same benefit, in that you have minimal places to change a password or disable an account to prevent access to office computers, servers etc.
And finally, access to office PCs/servers/etc, and other NOC based devices that allow further access in to the network should only be accessible via VPN from outside the office/NOC. Once again, authentication can be controlled centrally to prevent a user from logging in to the VPN to get access to your network.
And naturally, the use of ACLs to protect the management interfaces of your devices so that they are only accessible from office/NOC subnets will help to prevent someone from trying to brute force their way in from the outside, or perhaps stop them exploiting vulnerabilities that might exist. Particularly useful for devices that cant have their authentication centrally controlled - make them accessible only from somewhere that can.
And of course, if you do ever feel the need to let someone go on bad terms, with centrally controlled authentication you can disable their accounts before you give them any hint that you're about to boot them.
If they do manage to do something, backups would likely be key. You can also report them to the police, this kind of thing isn't usually taken lightly.
You should ideally have them shadow you for a couple of months, rather than trying to dump it all on them over a short period of time. Have them come up with configurations and ask them to solve problems so you can judge their competency. Only after you are confident that a) they wont break the network accidentally, and perhaps b) you dont feel like they are going to turn on you, then you could allow them unsupervised access.
Back up configurations of routers, switches, etc, and rotate backup media from the site between other locations they wouldn't have access, like your house.
Authentication servers and backups may be something you need to keep hold of to ensure that they aren't interfered with, since they are your life lines.
I suppose other than that, its all down to process. Have plans and procedures documented somewhere about how to retrieve backups, and re-instate them on to fresh devices if need be. In times of panic its nice to have a pre-formed list of steps that doesn't exist in your mind where you might forget something. And in the case that you aren't around when things go wrong, you might need to rope in someone else who isn't familiar with it all, they'll have something to work from.