FW: IU's VPN deployment

["Bruhn, Mark S." <mbruhn () INDIANA EDU>]

>  -----Original Message-----
> From:         Zeller, Tom S  
> Sent: Thursday, August 21, 2003 6:02 PM
> To:   Bruhn, Mark S.
> Subject:      IU's VPN deployment
>
> Here is an overview of Indiana University> '> s VPN implementation:
>
> For each of our two major campuses (~40,000 and 28,000 students) we have a Cisco 3030 that can handle 1500 
> simultaneous PPTP connections and 45 mb/sec.
>
> We use PPTP because it mostly avoids the client distribution and update issues.  Only Mac OS 9 clients need be 
> purchased.  We bought 100 copies to get them at ½ price.
>
> PPTP is arguable not quite as secure as IPSEC, but using MS-Chap v2 is arguable strong enough for general use.  See 
> the detailed cryptanalysis of PPTP at www.counterpane.com <http://www.counterpane.com>.
>
> We use the same VPN server for remote connections and to protect our wireless network.  All wireless access points on 
> a campus (about 400 and 200 APs) are on a single VLAN, eliminating the mobility/multiple subnet problem.  When the 
> broadcast traffic become too high for a single VLAN we plan to split the VLAN into two geographically.  Only DNS, 
> DHCP, and PPTP (port 1723 and GRE) traffic is allowed through the routers, the later only to our VPN servers.  This 
> forces wireless users to create a VPN connection, providing authentication, logging, and encryption.  No known (to 
> us) Unix RADIUS servers provide an MPPE key so we use Microsoft> '> s IAS server for this function.
>
> Last year usage peaked daily at about 450 users total and less than 30 mb/sec and averaged about half that.  The 
> traffic was evenly split between remote and wireless use.  We expect that to at least double this year with more 
> wireless deployed, more wireless-enabled laptops arriving, and the new requirement to use VPN for remote Outlook 
> sessions (thanks to ms-blaster).  We are buying another 3030 and will load balance using DNS rotoring.
>
> We also use the VPN server to provide specific blocks of IP addresses to specific groups of accounts as a way to lock 
> down access to certain hosts and subnets.
>
> Today we began using the filtering feature of the 3030 to block all port 135 traffic except to our Exchange and ADS 
> servers.  At the moment (8/21) about 4% of the traffic is being blocked.
>
> We also plan to deploy a set of 3030s for the School of Medicine to solve a problem with faculty that work in partner 
> hospital locations.  All partners have agreed to allow traffic from these servers through their firewall.  This 
> allows access to partner resources from on-campus and campus resources from partner locations and provides a more 
> secure connection between the partners.  This setup is a bit more complicated than that as each partner only wanted 
> to allow traffic from users it authorized.  We have developed a scheme that will accomplish that.
>
> For more information contact:
>
> Tom Zeller
> Indiana University
> 812-855-6214
> zeller () Indiana edu <mailto:zeller () Indiana edu>

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.