Re: VPN Security

[Rossella Mariotti-Jones <rossella.mariotti.jones () CHEMEKETA EDU>]

Hello Kevin,
Here at CCC, VPN access for staff/faculty and vendors has to be approved by
IT first. VPN requests must come in via TAC with a supervisor approval and
an account number to which we charge the $40 one-time fee. We charge this
small fee discourage colleagues from requesting VPN when they don't have an
absolute business need to connect. The fee is not required for IT staff and
"vendors" (energy management contractors, etc...). We very rarely approve
VPN on users' devices because it becomes a nightmare to make sure they're
clean enough to be dropped on the inside, plus usually most college
executive and IT staff have college provided devices. We also don't have
the infrastructure or the staff in place to verify AV on BYODs. We control
our VPN security tightly, and access depends on the tunnel group a user
lands on, the user IP and the access-lists associated with TG and IP. Users
are assigned to tunnel groups depending on what their needs are and that's
the only way in they have, additional access requires a TAC, for example a
contractor which manages our door lock system has a specific IP address
assigned at login and can access only one server.
I'm not sure what your VPN users population looks like, but we try to keep
it very small, in fact, if I look at the firewall during the day I usually
don't see any more than 8 to 10 users connected, but we have about 50 total
in the system. We haven't had any issues so far, except just sometimes a
vendor might call us because their VPN dropped unexpectedly and they can't
reconnect, so we have to clear them out and it's fixed (we limit some
tunnel groups to only one concurrent connection, and sometime it sticks).
Just my 2 cents. Hope it helps.

rossella mariotti-jones | network analyst | information technology |
chemeketa community college | p: 503-589-7775 | e: rmariott () chemeketa edu


On Fri, Jun 5, 2015 at 8:34 AM, Kevin Reedy <KReedy () excelsior edu> wrote:

> Hi All,
>
> We are looking into rolling out VPN access in addition to our more standard
> Citrix application publication for certain users that have more specialized
> needs that can't be easily met by application publishing.
>
> We have many options on how to secure client VPNs, and will be using two
> factor authentication.  I'd like to do more, if you are actively using
> software VPN for employees with any of the following I'd love hear how it
> is working for you:
>
>    Only authorized endpoints.  Users would have to make the request and get
>    the device registered with IT in order to use it to access VPN.
>    Only institutional devices, similar to above, but only college devices
>    would be allowed to connect.  We are not BYOD and don't have the
>    infrastructure in place to verify AV etc on other devices.
>    Using firewall rules to limits services - this may be the most work of
>    them all, but it allows us to create pretty granular control over who
>    can access what.
>
>
> If you are using none of the above what sort of issues have you
> encountered?  Infected devices on the VPN, etc?
>
> Thanks in advance!
>
> -Kevin
>
> Kevin Reedy
> Executive Director, Information Security
> Excelsior College
> (518) 464-8720
>
>
> This message and any attachments contain confidential  Excelsior College
> information intended for the specific individual and purpose. If you are
> not the intended recipient, you should notify the College and delete this
> message. Any disclosure, copying, distribution or inappropriate use of this
> message is strictly prohibited.