Educause Security Discussion mailing list archives
Re: Student's Own VPN on Campus
From: "Boyd, Daniel" <dboyd () BERRY EDU>
Date: Wed, 5 Oct 2016 13:20:22 +0000
Oddly enough, no student has ever mentioned (at least to IT, which here is not uncommon) using a VPN for gaming, although it does make sense that would be a valid use case, although difficult to ascertain compliance to. I'll have to poll our IT student workers on that particular scenario. There are IP reputation and handshake matching signatures for the most abused VPNs and similar services. Tor, Hola, and other VPN and VPN-like services are blocked here and we have yet to receive a complaint. Doesn't mean they didn't just beat the firewall somehow (it is fairly inevitable), but I see this traffic blocked all the time in our logs. I think everyone, including myself, sees the writing on the wall. I see it in all my logs. The percentage of traffic that is SSL encrypted is growing, which is both good and bad. DPI through SSL/MITM analysis is both resource intensive and not very transparent to set up, depending upon your on-boarding process and what types of devices you allow on the network. I wish us all luck and large budgets! :) Dan Daniel H. Boyd (94C) Senior Network Architect Network Operations Information Security Advisory Group Chair Berry College Phone: 706-236-1750 Fax: 706-238-5824 There are two rules to follow with your account passwords: 1. NEVER SEND YOUR PASSWORD VIA EMAIL (TO ANYONE)!!!!! 2. If unsure, consult rule #1 From: McClenon, Brady [mailto:Brady.McClenon () ONEONTA EDU] Sent: Tuesday, October 04, 2016 11:32 AM Subject: Re: Student's Own VPN on Campus For the second scenario, you missed what is probably the most popular reason our students use VPNs, which is for gaming. They help protect against DDOS attempts by unethical opponents and in some cases reduce latency. I'm also not sure how you would block usage of outgoing VPN connections. If I connect to an SSL/TLS VPN on port 443, how would it be distinguished from normal HTTPS traffic? Brady McClenon Information Technology Security Administrator Information Technology Services - IT Security B237 Milne Library SUNY College at Oneonta 607-436-3203 From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Boyd, Daniel Sent: Wednesday, September 28, 2016 8:16 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] Student's Own VPN on Campus Since I am still fuzzy over the details on this question, I'm going to answer it both ways. If a student (or students) requires a VPN to access a particular on-campus resource, then consideration should probably be given to make this available through the firewall with appropriate restrictions. If it is a one-off requirement, such as a research project where the student needs access to data stored on campus-only servers, then a highly restricted VPN account could be issued on an existing VPN server. Almost all VPN servers allow for some type of individual restriction at the user level. If it is what I suspect, a VPN to go outbound from the campus network, absolutely not (with an exception). The campus firewall provides enough anonymity already, there is no need to allow an outbound VPN connection - these services are typically used to circumvent campus security and firewall policy (in our case, to bypass the ban on torrent traffic) or to gain access to geo-fenced resources that are not meant to be accessed from particular locales. Of course, there is always an exception, again relating to one-off situations where a student is working or interning at a company that requires VPN access for security reasons. In this case, again, apply all necessary restrictions to make sure the VPN is used as intended (firewall schedules, restrictions on source or destination, etc.). A lot of possibilities, and a lot of room for misuse, but generally, no, not a good idea. Dan Daniel H. Boyd (94C) Senior Network Architect Network Operations Information Security Advisory Group Chair Berry College Phone: 706-236-1750 Fax: 706-238-5824 There are two rules to follow with your account passwords: 1. NEVER SEND YOUR PASSWORD VIA EMAIL (TO ANYONE)!!!!! 2. If unsure, consult rule #1 From: Fisch, Neal [mailto:Neal.Fisch () CSUCI EDU] Sent: Monday, September 26, 2016 4:19 PM Subject: Student's Own VPN on Campus Good afternoon all, I've received as request from a student who wishes to utilize their own personal VPN on our campus. My questions to the group are: 1. Do you see any risks to allowing this, and if so what are they? 2. Do you see any benefits to allowing this and if so what are they? Thank you for your time. Neal Neal Fisch Director, Enterprise Services and Security Information Security Officer Division of Technology & Communication California State University Channel Islands One University Drive, Camarillo CA 93012 Solano Hall - Room 2178 Email: neal.fisch () csuci edu<mailto:neal.fisch () csuci edu> Voice: 805-437-3278 | Mobile: 805-443-6529 | Fax: 805-437-3377 [EXT_IS]
Current thread:
- Re: Student's Own VPN on Campus McClenon, Brady (Oct 04)
- <Possible follow-ups>
- Re: Student's Own VPN on Campus Boyd, Daniel (Oct 05)
- Re: Student's Own VPN on Campus Theresa Rowe (Oct 06)
- Re: Student's Own VPN on Campus Fisch, Neal (Oct 07)