Educause Security Discussion mailing list archives
Re: VPN Security
From: Rossella Mariotti-Jones <rossella.mariotti.jones () CHEMEKETA EDU>
Date: Fri, 5 Jun 2015 09:45:46 -0700
Hello Kevin, Here at CCC, VPN access for staff/faculty and vendors has to be approved by IT first. VPN requests must come in via TAC with a supervisor approval and an account number to which we charge the $40 one-time fee. We charge this small fee discourage colleagues from requesting VPN when they don't have an absolute business need to connect. The fee is not required for IT staff and "vendors" (energy management contractors, etc...). We very rarely approve VPN on users' devices because it becomes a nightmare to make sure they're clean enough to be dropped on the inside, plus usually most college executive and IT staff have college provided devices. We also don't have the infrastructure or the staff in place to verify AV on BYODs. We control our VPN security tightly, and access depends on the tunnel group a user lands on, the user IP and the access-lists associated with TG and IP. Users are assigned to tunnel groups depending on what their needs are and that's the only way in they have, additional access requires a TAC, for example a contractor which manages our door lock system has a specific IP address assigned at login and can access only one server. I'm not sure what your VPN users population looks like, but we try to keep it very small, in fact, if I look at the firewall during the day I usually don't see any more than 8 to 10 users connected, but we have about 50 total in the system. We haven't had any issues so far, except just sometimes a vendor might call us because their VPN dropped unexpectedly and they can't reconnect, so we have to clear them out and it's fixed (we limit some tunnel groups to only one concurrent connection, and sometime it sticks). Just my 2 cents. Hope it helps. rossella mariotti-jones | network analyst | information technology | chemeketa community college | p: 503-589-7775 | e: rmariott () chemeketa edu On Fri, Jun 5, 2015 at 8:34 AM, Kevin Reedy <KReedy () excelsior edu> wrote:
Hi All, We are looking into rolling out VPN access in addition to our more standard Citrix application publication for certain users that have more specialized needs that can't be easily met by application publishing. We have many options on how to secure client VPNs, and will be using two factor authentication. I'd like to do more, if you are actively using software VPN for employees with any of the following I'd love hear how it is working for you: Only authorized endpoints. Users would have to make the request and get the device registered with IT in order to use it to access VPN. Only institutional devices, similar to above, but only college devices would be allowed to connect. We are not BYOD and don't have the infrastructure in place to verify AV etc on other devices. Using firewall rules to limits services - this may be the most work of them all, but it allows us to create pretty granular control over who can access what. If you are using none of the above what sort of issues have you encountered? Infected devices on the VPN, etc? Thanks in advance! -Kevin Kevin Reedy Executive Director, Information Security Excelsior College (518) 464-8720 This message and any attachments contain confidential Excelsior College information intended for the specific individual and purpose. If you are not the intended recipient, you should notify the College and delete this message. Any disclosure, copying, distribution or inappropriate use of this message is strictly prohibited.
Current thread:
- Phishing at U-M Donald Welch (Jun 05)
- Re: Phishing at U-M Joel Anderson (Jun 05)
- Re: Phishing at U-M William Rhee (Jun 05)
- Re: Phishing at U-M Joel Anderson (Jun 05)
- VPN Security Kevin Reedy (Jun 05)
- Re: VPN Security Rossella Mariotti-Jones (Jun 05)
- Re: Phishing at U-M Frank Barton (Jun 05)
- Re: Phishing at U-M Joel Anderson (Jun 07)
- Re: Phishing at U-M William Rhee (Jun 05)
- Re: Phishing at U-M Joel Anderson (Jun 05)