Re: Student's Own VPN on Campus

["McClenon, Brady" <Brady.McClenon () ONEONTA EDU>]

For the second scenario, you missed what is probably the most popular reason our students use VPNs, which is for 
gaming.  They help protect against DDOS attempts by unethical opponents and in some cases reduce latency.

I'm also not sure how you would block usage of outgoing VPN connections.   If I connect to an SSL/TLS VPN on port 443, 
how would it be distinguished from normal HTTPS traffic?


Brady McClenon
Information Technology Security Administrator
Information Technology Services - IT Security
B237 Milne Library
SUNY College at Oneonta
607-436-3203





From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Boyd, 
Daniel
Sent: Wednesday, September 28, 2016 8:16 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Student's Own VPN on Campus

Since I am still fuzzy over the details on this question, I'm going to answer it both ways.

If a student (or students) requires a VPN to access a particular on-campus resource, then consideration should probably 
be given to make this available through the firewall with appropriate restrictions.  If it is a one-off requirement, 
such as a research project where the student needs access to data stored on campus-only servers, then a highly 
restricted VPN account could be issued on an existing VPN server.  Almost all VPN servers allow for some type of 
individual restriction at the user level.

If it is what I suspect, a VPN to go outbound from the campus network, absolutely not (with an exception).  The campus 
firewall provides enough anonymity already, there is no need to allow an outbound VPN connection - these services are 
typically used to circumvent campus security and firewall policy (in our case, to bypass the ban on torrent traffic) or 
to gain access to geo-fenced resources that are not meant to be accessed from particular locales.  Of course, there is 
always an exception, again relating to one-off situations where a student is working or interning at a company that 
requires VPN access for security reasons.  In this case, again, apply all necessary restrictions to make sure the VPN 
is used as intended (firewall schedules, restrictions on source or destination, etc.).

A lot of possibilities, and a lot of room for misuse, but generally, no, not a good idea.

Dan


Daniel H. Boyd (94C)
Senior Network Architect
Network Operations
Information Security Advisory Group Chair
Berry College
Phone: 706-236-1750
Fax:     706-238-5824

There are two rules to follow with your account passwords:
1. NEVER SEND YOUR PASSWORD VIA EMAIL (TO ANYONE)!!!!!
2. If unsure, consult rule #1



From: Fisch, Neal [mailto:Neal.Fisch () CSUCI EDU]
Sent: Monday, September 26, 2016 4:19 PM
Subject: Student's Own VPN on Campus

Good afternoon all,

I've received as request from a student who wishes to utilize their own personal VPN on our campus.  My questions to 
the group are:


1.       Do you see any risks to allowing this, and if so what are they?

2.       Do you see any benefits to allowing this and if so what are they?

Thank you for your time.

Neal

Neal Fisch
Director, Enterprise Services and Security
Information Security Officer
Division of Technology & Communication
California State University Channel Islands
One University Drive, Camarillo CA 93012
Solano Hall - Room 2178

Email:  neal.fisch () csuci edu<mailto:neal.fisch () csuci edu>
Voice:  805-437-3278 | Mobile:  805-443-6529 | Fax:  805-437-3377
[EXT_IS]