The Third-Party VPN and Vendor Access

Step 1: Investigate the CCTV vendor's VPN access

If you asked Fatima the right questions in Unit 1 about remote access, you already know about this. If not, the assessment itself reveals it: the cctv-manager container has port 1194 open -- the standard OpenVPN port. A third-party security company manages CCTV remotely across all 12 buildings through a VPN connection.

Think about what this means. If the third-party vendor's systems are compromised, the attacker gets a direct tunnel into Maskan Properties' network. The VPN connection is designed for the vendor to manage cameras, but network access is network access. Can the VPN reach only the CCTV system, or does it provide broader access?

Step 2: Assess the VPN against segmentation

Test whether the segmentation from Unit 3 limits the VPN's blast radius.

From the CCTV container (simulating the vendor's perspective), scan the other zones. Can the cctv-manager container reach the BMS? The access control system? The management zone?

If your segmentation is working correctly, the VPN access is limited to the surveillance zone. The vendor can manage cameras but cannot reach building management, access control, or tenant systems. The segmentation you built in Unit 3 is the control that limits the damage if the vendor is compromised.

If the segmentation is not working for this path -- if the CCTV container can still reach other zones -- that is a gap you need to address.

Step 3: Investigate the shared fiber connection

Two of Maskan's buildings share a fiber connection and a single firewall. This was a cost-saving measure during construction.

In the Docker environment, the tenant-wifi-1 and bms-doha containers share an additional network (the shared-fiber network) alongside their zone networks. Test whether this shared connection creates a path that bypasses the zone segmentation.

The shared fiber creates two risks: a single point of failure (if the shared firewall goes down, both buildings lose connectivity) and a potential cross-building pathway (if traffic can route through the shared connection instead of going through zone boundaries).

Document both risks. The single-point-of-failure is an infrastructure risk. The cross-building pathway is a segmentation risk. Both need separate remediation recommendations -- dedicated fiber connections for each building, or at minimum, distinct firewall rules per building on the shared hardware.

Step 4: Document findings and recommendations

Compile the VPN and shared fiber findings into the assessment documentation:

VPN finding: Third-party CCTV vendor has VPN access to all 12 buildings. If the vendor is compromised, the attacker gains network access to the surveillance zone. Segmentation limits the blast radius to the surveillance zone (if properly configured). Recommendation: scope-limit the VPN to specific CCTV management ports, implement network-level monitoring of VPN traffic, and require the vendor to meet minimum security standards.

Shared fiber finding: Two buildings share a fiber connection and firewall. Single point of failure for both buildings. Potential cross-building pathway depending on firewall configuration. Recommendation: dedicated fiber connections for each building (long-term) or strict per-building firewall rules on shared hardware (immediate).

Step 5: Handle the insurance company's scope creep

Fatima forwards a message from the insurance company. They want to know whether Maskan has a policy for managing third-party vendor access. This is directly related to the CCTV vendor finding.

The question is about policy, not technical assessment. A vendor access policy covers: how vendors are granted access, what they can access, how their access is monitored, and how access is revoked when the engagement ends. That is a governance document, not a network scan.

The right response: note the vendor access policy as a recommendation in the remediation plan. Acknowledge the insurance company's concern -- it is legitimate, especially given what the assessment found about the CCTV VPN. But do not expand the technical assessment scope to include policy writing. The assessment scope covers network segmentation. Vendor access policy is a separate work item.

Fatima appreciates the distinction. She understands that the technical assessment found a related issue (the VPN access) and that the policy question is a natural follow-up -- but a different engagement.