Re: Questions about your VPN

[Steven Alexander <steven.alexander () KCCD EDU>]

We require MFA for VPN access; currently we use Duo.

Most of the district IT staff have access.  We provide access to administrators on request or to faculty/staff on the 
request of their administrator.  Requests are generally granted but we do ask questions and will bring HR into the loop 
as necessary (e.g. to confirm that an hourly employee should be doing work from home).

We don’t require a managed workstation but we set them up with only RDP access to their own workstation over the VPN so 
they can’t directly access our servers and file shares from their home PC; that said, many/most of the users with 
remote access are using a district-issued laptop.  We have started requiring full-disk encryption on laptops but the 
implementation is still in progress.  The RDP configuration is the only one we’ve deployed since I started but we may 
have users on a different profile with direct access to certain applications.

In the future, I would like to ensure that users who are planning to use their own computers have AV and a currently 
supported OS (e.g. no Windows XP).

Regards,

Steven Alexander
Director of IT Security
Kern Community College District
(661) 336-5111

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of David 
Curry
Sent: Tuesday, October 11, 2016 9:04 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Questions about your VPN

> Who do you allow on your VPN (fac, staff, students, IT)?

IT staff (except student workers) have "birthright" access.

Faculty and staff have access on a request basis. The requests are always granted, the process exists to (1) enable us 
to make sure that the requesting user has completed security training, (2) allow us to keep track of how many licenses 
we need to maintain, and (3) be able to communicate with the user community when needed.

> How many profiles do you have (one for each above, more granular)?

Two. One that does split tunnel (the default) and one that does full tunnel (generally only used for users who need to 
access Google or something else from a country that blocks such access).

> Do you require two-factor authentication?

Yes, for all VPN users.
> Do you require a managed workstation to access the VPN?

No.

--Dave




--

DAVID A. CURRY, CISSP
DIRECTOR OF INFORMATION SECURITY
INFORMATION TECHNOLOGY

71 FIFTH AVE., 9TH FL., NEW YORK, NY 10003
+1 212 229-5300 x4728 • david.curry () newschool edu<mailto:david.curry () newschool edu>

[The New School]

On Tue, Oct 11, 2016 at 10:35 AM, Adam Copeland <copelanda () mail montclair edu<mailto:copelanda () mail montclair 
edu>> wrote:
Everyone,
Our org is trying to put together a long term plan on how we're going to use our VPN for off-campus access to on-campus 
resources and I was just curious what other schools were doing.

I'm personally of the opinion that our use of a VPN as educational institutions would wind up being very different from 
VPN use in an org like a healthcare provider or financial institution. However, I wanted to gather some information 
about what edus do. Any answers to these questions would be helpful.
Who do you allow on your VPN (fac, staff, students, IT)?
How many profiles do you have (one for each above, more granular)?
Do you require two-factor authentication?
Do you require a managed workstation to access the VPN?
Thanks for your help.

--
Adam Copeland
Security Engineer
Information Security and Identity Management
copelanda () mail montclair edu<mailto:copelanda () mail montclair edu>