Educause Security Discussion mailing list archives
Re: The VPN question
From: Jeff Kell <jeff-kell () UTC EDU>
Date: Thu, 30 Jun 2011 08:35:57 -0400
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 6/30/2011 8:11 AM, Julian Y Koh wrote:
On Thu Jun 30 07:01:57 2011 Central Time, "Bradley, Stephen W. Mr."
<bradlesw () MUOHIO EDU> wrote:
I have a question about the your VPNs. Why so many roles?Our traditional (aka IPSec, PPTP, L2TP/IPSec) VPN service is our general-purpose remote
access VPN for anyone at the University. There's no split tunneling on that service, and all users are placed in a large /21 address pool.
4+ years ago, we rolled out the SSL VPN specifically targeted at sysadmins, external
vendors/consultants/collaborators, and users of sensitive applications/data so that we we could provide customized access rules for those different user groups. This allows us to give out specific IPs for different groups, which makes firewall rules much tighter. We can also do endpoint security compliance for groups that request it. I'm in the process of redoing our VPN access. The legacy VPN is Cisco client / IPsec, with three basic roles (net admins, sys admins, business users) leftover from legacy. Our new network is VRF-based (we have been dividing things up and moving away from legacy for the past few years, a major ordeal). I've at least prototyped several VPN roles that land the user in specific VRFs first and foremost, and further drops them into a role-based subnet similar to the campus wired scheme. There is growing demand for more "casual" VPN, and I'm looking at client-less Windows L2TP connections with AD/LDAP authentication. Still looking, mind you :) We will likely keep the IPsec / client scheme for any "privileged" roles (you must have a client and must have a profile and/or certificate to get in), but hoping the casual fit will work out for more general use. There is always the AnyConnect and/or SSL VPN option, but those cost real $$ per seat. They do however have some direct support for mobile devices, which are probably another discussion entirely. While it may be possible to reboot a server over VPN from an iPhone, I'm not sure that is a desirable option from a security standpoint :) Jeff -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.17 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk4MbawACgkQiwXJq373XhbmAQCfQdQEDLH3n6FBZYLOjQJtBbsI YDwAoOfKuk2qBv8hqrfyJ+HWTO0vn7WP =H8F2 -----END PGP SIGNATURE-----
Current thread:
- The VPN question Jay Graham (Jun 29)
- Re: The VPN question Lovaas,Steven (Jun 29)
- Re: The VPN question Chris Green (Jun 30)
- Re: The VPN question Julian Y Koh (Jun 30)
- Re: The VPN question Bradley, Stephen W. Mr. (Jun 30)
- Re: The VPN question Julian Y Koh (Jun 30)
- Re: The VPN question Bradley, Stephen W. Mr. (Jun 30)
- Re: The VPN question Jeff Kell (Jun 30)
- Re: The VPN question Bradley, Stephen W. Mr. (Jun 30)
- Re: The VPN question Lovaas,Steven (Jun 29)