Educause Security Discussion mailing list archives

Re: College Support of VPN on open Wi-Fi

From: Kevin Crider <kcrider () SKIDMORE EDU>
Date: Sat, 7 Oct 2017 13:04:00 +0000

This wasn’t my department that worked through the case(s), but yes I think that was pretty much what we did…plus a 
little hand slap or lecture.

From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Frank 
Barton
Sent: Saturday, October 7, 2017 6:45 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] College Support of VPN on open Wi-Fi

Kevin, so did you immediately classify the account as compromised? Lock it out and make the student show up in person 
to get a new password?

I'm curious what you do in those cases

Frank

On Fri, Oct 6, 2017 at 4:26 PM, Kevin Crider <kcrider () skidmore edu<mailto:kcrider () skidmore edu>> wrote:
YES. Funny, we just discussed this yesterday and have this blocked already...mainly I think YouTube was the end point.

We discovered this by seeing in logs users were logged here on campus, and 8 times oversees also...all at once...

The big security issue I think was just the fact that users were sharing passwords!

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of McClenon, Brady
Sent: Friday, October 6, 2017 3:39 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] College Support of VPN on open Wi-Fi

Anyone concerned about legal implications if their institution is providing overseas students a VPN tunnel that could 
be used by the student to circumvent country or regional restrictions on content from providers like Netflix or Hulu?

Brady McClenon
IT Security Administrator
ITS - IT Security
SUNY Oneonta

Information Security is Everyone's Responsibility!  Learn more at 
https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fstaysafeonline.org%2Fncsam%2F&data=01%7C01%7Ckcrider%40SKIDMORE.EDU%7C4659b86f11f64a2fe26f08d50cf1edf2%7Cfdd86edf062048a2a66abe4daf7bf919%7C1&sdata=dhDtJ%2BEwEscJGQDk%2F4EyhVskIf5VJ56HPeuJwZ2hTnk%3D&reserved=0

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () 
LISTSERV EDUCAUSE EDU>] On Behalf Of Johnson, Matthew
Sent: Friday, October 6, 2017 3:05 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] College Support of VPN on open Wi-Fi

A good portion of our VPN access is from students / staff/ and faculty traveling overseas.  We encourage its use when 
people travel or return to their home as it provides an additional level of protection when they
connect back to our internal resources.

To protect these accounts we recently enabled Duo two factor authentication for all VPN connections.  This will ensure 
that the proper account is
connecting through the VPN and only one person is using that account.   If
you are worried about VPN from overseas, enable two factor authentication and tie it to one user account.

Matt

Matthew Johnson, CISSP
Information Security Analyst, Office of Information Security Northeastern University
216 Massachusetts Ave, 302-216 Boston, MA 02115
O:  617-373-6080<tel:617-373-6080> | F: 617-373-6423<tel:617-373-6423>

-----Original Message-----
From: The EDUCAUSE Security Constituent Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>] On Behalf Of Valdis Kletnieks
Sent: Thursday, October 05, 2017 5:57 PM
To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>
Subject: Re: [SECURITY] College Support of VPN on open Wi-Fi

On Wed, 04 Oct 2017 23:44:35 -0000, "Corn, Michael" said:

One thing to consider if you're rethinking your VPN strategy. Include
a check box somewhere that, if checked, permits access to the VPN from
overseas. By default it should not be checked. This will provide some
protection to accounts from abuse since VPNs are frequent targets for
use from overseas (esp. for those targeting your library resources).


Also make plans for how to deal with people that travel to California, or
across the state, and errant Geo-IP suddenly decides they're outside the US.
Make sure that your help desk is able to deal with these glitches *AND* that
the procedure is at least somewhat social engineering proof....

(Yes, I know that last part is a challenge involving tradeoffs ... :)



--
Frank Barton
Security+, ACMT
IT Systems Administrator
Husson University

Current thread:

College Support of VPN on open Wi-Fi James Farr (Oct 04)
- Re: College Support of VPN on open Wi-Fi Corn, Michael (Oct 04)
  - Re: College Support of VPN on open Wi-Fi Valdis Kletnieks (Oct 05)
    - Re: College Support of VPN on open Wi-Fi Johnson, Matthew (Oct 06)
    - Re: College Support of VPN on open Wi-Fi McClenon, Brady (Oct 06)
    - Re: College Support of VPN on open Wi-Fi Kevin Crider (Oct 06)
    - Re: College Support of VPN on open Wi-Fi Frank Barton (Oct 07)
    - Re: College Support of VPN on open Wi-Fi Kevin Crider (Oct 07)