We've got an HVAC vendor with remote access to our HVAC controls. I have a policy set to allow access to our HVAC from their home office IP to one our external IPs and a Fortigate VIP to an internal address. The only services allowed on this policy are a list of TCP ports they need to access the HVAC.
Here's the issue: They changed their support to field technicians who want to access our site via hotspots while the are out in the field, not their home office.
What are some best practices for adjusting the sources on the policy to accommodate for these hotspots without opening up this public IP to all the world? Since they are using their cell phones, I don't think I can whitelist a set of addresses, because they'll keep changing. What's the best practices here? Thank you.
Ssince their public adresses changes I would say that the best practice would be for the vendor to use their own VPN so they can guarantee what IP they would be accessing it from.
But if that´s not possible I would say that a Fortigate SSLVPN is the best solution, so you add an additional layer of authentication and don´t expose the HVAC to the public internet. Might even be possible that you can use the clientless SSLVPN to control the system.
The Fortinet Security Fabric brings together the concepts of convergence and consolidation to provide comprehensive cybersecurity protection for all users, devices, and applications and across all network edges.