Vendor Applications (Score 1)

Don't think of this as a small scale issue. Design "security zones" providing the requirements for the enterprise, the vendor and external connectivity. An ASP environment is a long way toward that goal. If the company you work for is serious about security, they will be willing to foot the bill for a completely independent network security zone for the vendor application(s). Contact the most appropriate vendor for your firewall (Checkpoint comes to mind) and discuss the options with the vendor. Then, make sure you log everything important in the firewall. Another completely independent network that makes sense to have available is a management network. Separate from the "data network" and definately in a different security zone. It should be a separate "security zone" from your general data network. It might also make sense to connect to it only by VPN. This network would contain all of the SNMP and console activity. This can be built on a general network using GRE tunnels (IPSec if you really desire security) and/or extended with L2TP. At the very least, you would have sufficient logging in the VPN and system to track vendors activity. I would also consider building a completely separate non-routed network for backup. Offload all backups to a network that doesn't touch any other environment. Also, if a vendor wrote a program that can only run as su -, find another vendor. Their application was written unrealistically. So, in the end state, you'll be running multiple networks. Keep it simple, separated, secure and logged.