Educause Security Discussion mailing list archives

Re: Foreign Student Dealing with China's Web Filtering of US Websites

From: Ken Munro <Ken.Munro () MSVU CA>
Date: Tue, 25 Aug 2020 13:42:35 +0000

FYI, unapproved VPNs are illegal in China, and the student could get fined 500 
yuan<https://www.rfa.org/english/news/china/vpn-punishments-05212020103537.html> I think or worse for using it. For 
that reason, we do not recommend students use VPNs to access our services. If they do so on their own, that’s one 
thing, but we don’t feel comfortable recommending a student break the law.

I know some institutions with a lot of mainland Chinese students purchase the legal, government-approved Alibaba VPN 
service<https://www.reuters.com/article/us-alibaba-cloud-vpn/alibaba-cloud-helps-chinese-students-foreign-schools-scale-great-firewall-idUSKCN24O356>,
 but for one student it wouldn’t make financial sense.

Not an easy problem to solve.

Best,

Ken Munro

________________________________________
Ken Munro
Security Compliance and Training Specialist
Information Technology and Services
Mount Saint Vincent University
166 Bedford Highway
Halifax, NS B3M 2J6
(902) 457-6150
ken.munro () msvu ca<mailto:ken.munro () msvu ca>

Confidentiality Notice: This email may be private and confidential. If you have received this e-mail by mistake, please 
immediately notify the sender by e-mail or telephone, delete it from your system, and do not copy or distribute it.

Phishing Warning: IT&S does not request passwords or other personal information via email. Messages requesting such 
information are phishing attempts and should be deleted.





From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Frank Barton
Sent: Tuesday, August 25, 2020 10:32 AM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] Foreign Student Dealing with China's Web Filtering of US Websites


[ Email originated outside of MSVU, use extra caution. ]
While this isn't something that we have direct experience with... recent reports are that PRC is blocking TLS 1.3 
outright, so your VPN might have problems

for (1) the difference is full-tunnel vs. split-tunnel VPN

From a technological perspective, I would go with (2), and have a local (to you) hosted VM that they use, but keep it 
isolated from everything else - assume that it will be compromised by PRC.

I would also recommend talking to your OGC about the ramifications of, effectively, helping a Chinese national bypass 
the PRC's great firewall

Frank

On Tue, Aug 25, 2020 at 9:23 AM Bruce Heldman <heldmanb () queens edu<mailto:heldmanb () queens edu>> wrote:
We have a foreign student who’ll be returning to mainland China since our Fall semester is online only.   Prior 
experiences he’s had with the Chinese government’s Web filtering suggest he will be blocked from browsing various US 
sites required for his course work.

Are there any options that would help us with this situation?

We’ve considered:

1.      Granting him VPN access, but I believe non-university wouldn’t be tunneled.  It would go through his default 
gateway.

2.      Assigning him a VDI workstation.  He would then connect to this university VDI workstation (with or without 
VPN) and browse from that station.

Any suggestions or recommendations are appreciated



Bruce Heldman
Sr. Director of Technology Infrastructure & Support
Queens University of Charlotte
1900 Selwyn Avenue
Charlotte, NC  28274
Tel:   704-971-5409



**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community


--
Frank Barton, MBA
Security+, ACMT, MCP
IT Systems Administrator
Husson University
PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

**********
Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the 
person who sent the message, copy and paste their email address and forward the email reply. Additional participation 
and subscription information can be found at https://www.educause.edu/community

Current thread:

Foreign Student Dealing with China's Web Filtering of US Websites Bruce Heldman (Aug 25)
- Re: Foreign Student Dealing with China's Web Filtering of US Websites Frank Barton (Aug 25)
  - Re: Foreign Student Dealing with China's Web Filtering of US Websites Ken Munro (Aug 25)
- Re: [EXT] [SECURITY] Foreign Student Dealing with China's Web Filtering of US Websites Michael Cole (Aug 25)
- Re: Foreign Student Dealing with China's Web Filtering of US Websites Julian Y Koh (Aug 25)
- Re: Foreign Student Dealing with China's Web Filtering of US Websites Ayala, Daniel (Aug 25)
  - Re: Foreign Student Dealing with China's Web Filtering of US Websites Sidharth Nandury (Aug 25)
  - Re: Foreign Student Dealing with China's Web Filtering of US Websites Tomo (Aug 25)
    - Re: [EXTERNAL] Re: [SECURITY] Foreign Student Dealing with China's Web Filtering of US Websites James Valente (Aug 26)