Re: Remote Access Policies

[Bill Terry <wterry () BARD EDU>]

Todd -
Gary's model makes sense.  Charlie's idea of a thin client certaintly
give you a bit more control but may require more resources.

I've worked as a lead on two deployments of Cisco's IPSec VPN, one with
full availability to 16,000 employees.  In both cases this was not
generally made available to students.  After testing/trials, the client
was distributed via CD and intranet download.  With proper
documentation, support is generally not an issue - and we generally did
not offer support.

Users do need to understand that this is a use of your resources and all
security / privacy rules do apply.

Users need to clearly understand that using the VPN is not the same as
simply "surfing" from home - they should not use it in any way that they
would not use resources while on campus, and that it is easy to forget
that one is connected.

All home computers must have properly configured anti-virus software
installed.  You may want to limit use to laptops issued by your
institution.  Individual authentication via Radius/LDAP, etc. with
logging is essential.  I believe we distributed the group user names and
passwords encrypted on the CD.  The usual reminders about not sharing
names and passwords apply, too.

In one implementation we displayed a log-on message that required a
simple acknowledgment - adherence to policies was required, use could be
logged and monitored, failure to comply could result in discipline
and/or prosecution.

I can supply a log-on message (attorney vetted) and some policy boiler
plate.  Please contact me off-line.

We are preparing to roll it out at Bard College over the next few months

Bill Terry

Assoc. Dean of Information Services & CTO
Henderson Computing Resources Center
Bard College
PO Box 5000
Annandale-on-Hudson, NY 12504-5000

845-758-7495 work
845-758-7035 fax




Gary Dobbins wrote:
> Todd,
>
> I can't speak for how prevalent is this model, but in our case the VPN is positioned mainly as a way of getting "on" the campus LAN, 
> and not a form of access in and of itself.  Access to information is governed by the systems and applications, not the VPN.  Therefore, our VPN is 
> just a location-shifter (makes you "local" so non-public-serving systems don't need to trust the whole world) and thus its use is 
> covered by the same overarching Responsible Use Policy that covers activity when physically using the campus net.
>
>
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Todd Bossaller
> > Sent: Monday, July 14, 2008 7:59 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: [SECURITY] Remote Access Policies
> >
> > Does anyone have any policies or rules they would be willing to share for remote
> > access (VPN) to their instituion?  Are there any legal policies/procedures I should
> > be aware of?
> >
> > Thank you,
> >
> > Todd Bossaller
> > Systems Administrator
> > Missouri Valley College
> > 500 E College St
> > Marshall, MO 65340
> > 660.831.4088
> > bossallert () moval edu<mailto:bossallert () moval edu>
> > This document may contain confidential information and is intended solely for the
> > use of the addressee. If you received it in error, please contact the sender at
> > once and destroy the document. The document may contain information subject
> > to restrictions of the Family Educational Rights and Privacy and the Gramm-Leach-
> > Bliley Acts. Such information may not be disclosed or used in any fashion outside
> > the scope of the service for which you are receiving the information