Educause Security Discussion mailing list archives

Re: Campus VPN Services

From: Mark Poepping <poepping () CMU EDU>
Date: Thu, 21 Aug 2003 00:40:24 -0400

in this example:
 . are your "filter-circumvention" requirements many-many or many-few?  i.e.
do people have Exchange servers and file shares all over the place or are
they mostly trying to get to [relatively few] enterprise Exchange servers or
File servers?
 . I guess I'm wondering about the possibility and potential benefits of
providing a general-purpose circumvention (e.g. vpn) for [all] users versus
a special-purpose exception for certain servers/services when you need it
(i.e. block 135, except to known clean servers that need 135 and should be
available)...  I wonder about giving the whole constituency a trapdoor
around whatever port filters.  If there are 10000 systems in homes (that are
largely unprotected from the internet) that have unfiltered access to the
rest of my campus, what does that do to the effectiveness of my filters?  I
know they still help, but I wonder how much, and that weighed against/with
the costs of the vpn..

mark.

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Mike Iglesias
Sent: Thursday, August 21, 2003 12:03 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Campus VPN Services

Sorry if I missed it somewhere along the way, but is anybody willing to
share a link to their high-level requirements and cost-benefit analysis

for

investing in an enterprise vpn (projected benefits weighed against round
numbers for costs in HW, SW, scaling issues, and support)?


We setup our VPN mostly because we were going to close off the NetBIOS
ports and needed a way for people to be able to use them from off-campus
(like for Exchange, mounting shares from home, etc).  We didn't do
much in the way of requirements or cost-benefit analysis because
we knew we needed to do it.  We tried one other brand of VPN
concentrator but it could not authenticate users to our Kerberos
server, and would not be able to in time for us to fully test it, so
we went with Cisco (which we setup to use a modified RADIUS server
to authenticate to Kerberos).


Mike Iglesias                          Email:
iglesias () draco acs uci edu
University of California, Irvine       phone:       949-824-6926
Network & Academic Computing Services  FAX:         949-824-2069

**********
Participation and subscription information for this EDUCAUSE Discussion
Group discussion list can be found at http://www.educause.edu/cg/.


**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.

Current thread:

Campus VPN Services Angel L Cruz (Aug 20)
- <Possible follow-ups>
- Re: Campus VPN Services Gary Dobbins (Aug 20)
- Re: Campus VPN Services Mike Iglesias (Aug 20)
- Re: Campus VPN Services Mark Poepping (Aug 20)
- Re: Campus VPN Services Mike Iglesias (Aug 20)
- Re: Campus VPN Services Mark Poepping (Aug 20)
- Re: Campus VPN Services Michael Sinatra (Aug 21)
- Re: Campus VPN Services Mike Iglesias (Aug 21)
- Re: Campus VPN Services Matthew Keller (Aug 21)
- Re: Campus VPN Services H. Morrow Long (Aug 21)
- Re: Campus VPN Services Mark Poepping (Aug 22)
- Re: Campus VPN Services Mike Iglesias (Aug 22)
- Re: Campus VPN Services H. Morrow Long (Aug 22)
- Re: Campus VPN Services H. Morrow Long (Aug 22)