Educause Security Discussion mailing list archives
Re: Personal VPN Policy Accessing University Applications
From: Ken Munro <Ken.Munro () MSVU CA>
Date: Tue, 6 Oct 2020 15:04:24 +0000
Hi. We don’t prohibit the use of commercial VPNs to access our services. With so many overseas/distance students, I don’t think it would be practical to ban them. I think it would be more work to ban them than to monitor their use, in our case. It does make for a lot of false positive investigations, but it hasn’t become overwhelming for us. We use Azure AD, so I review the impossible travel incidents in the Azure security reports and the Cloud App Security reports. I compare the user agent identifiers between logins from different countries. If the user agents differ, I will look into it. But if they are the same, then I am assuming it’s a legit user using a VPN. I have started looking up the IP addresses from the Azure reports on Shodan. In one case, Shodan listed a slew of potential vulnerabilities for the server using that IP address. I emailed the student the link to our VPN webpage and advised him to use another one. If he continues to use that server, we might do something about that IP. We do provide advice on our website<https://www.msvu.ca/campus-life/campus-services/it-services/it-security/cybersafety/vpn-tips> on how to select a (more) reliable/trustworthy VPN service. I am not sure that means we encourage it, but we are steering them towards VPNs that have a better reputation. Cheers. Ken Munro ________________________________________ Ken Munro Security Compliance and Training Specialist Information Technology and Services Mount Saint Vincent University 166 Bedford Highway Halifax, NS B3M 2J6 (902) 457-6150 ken.munro () msvu ca<mailto:ken.munro () msvu ca> Confidentiality Notice: This email may be private and confidential. If you have received this e-mail by mistake, please immediately notify the sender by e-mail or telephone, delete it from your system, and do not copy or distribute it. Phishing Warning: IT&S does not request passwords or other personal information via email. Messages requesting such information are phishing attempts and should be deleted. From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Frank Barton Sent: Tuesday, October 6, 2020 11:36 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Personal VPN Policy Accessing University Applications [ Email originated outside of MSVU, use extra caution. ] I think there's a difference between inbound and outbound VPNs Inbound - "Aw heck no!" If I find one, I'm shutting it down! Outbound, there are a number of reasons why someone might want or need to use a VPN to reach out of the university. We have a number of faculty that also work for one of the local hospitals, and they need to be able to VPN into the hospital to access some of the things there (that they also need for clinicals) On the student side, it gets a little bit murkier. I can use the same logic for enterprise VPNs, but the commercial VPNs I have a much harder time justifying, as typically those are used for bypassing monitoring, and to enable them to torrent copyrighted materials. I don't know that there's a "good" answer Frank On Tue, Oct 6, 2020 at 10:26 AM Curt Kappenman <ckappenman () andersonuniversity edu<mailto:ckappenman () andersonuniversity edu>> wrote: I have been dealing with this same issue for a while now. My problem has been coming up with a policy that doesn’t almost immediately start having exceptions. I look forward to hearing what others have been able to come up with. Curt Kappenman Security Compliance Officer / Systems Technician 316 Boulevard, Anderson, SC 29621 Phone: (864) 231-2850 Help Desk: (864) 231-2457 ckappenman () andersonuniversity edu<mailto:ckappenman () andersonuniversity edu> www.andersonuniversity.edu<http://www.andersonuniversity.edu/> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Theodore J. August Sent: Tuesday, October 6, 2020 10:23 AM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: [SECURITY] Personal VPN Policy Accessing University Applications Hello all, I was just wondering how other higher-ed institutions handle users who access applications using personal VPN services such as Express VPN, Cyberghost, etc? We’re seeing an overall increase in the use of these services, especially on mobile devices, from students. While we appreciate the heightened awareness of privacy and security that members of our community are displaying by using these services, it’s also causing lots of false positives for intrusions in a number of our detection systems, for obvious reasons. Right now we handle these on a case-by-case basis, but that’s starting to become overwhelming, and we would love to come up with a blanket policy we can socialize to our end-users. I’m hesitant to ban them outright, but the anonymous nature of these services makes it extremely hard to filter out legitimate use from malicious use. Thanks in advance for your feedback, and thank you to everyone who participates in this list – it’s enlightening and educational to read all the posts whenever I have the time to check-in and catch up! Sincerely, -- Ted August Assistant Director of Cybersecurity and Compliance Office of Information Technology Salve Regina University ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community -- Frank Barton, MBA Security+, ACMT, MCP IT Systems Administrator Husson University PGP Key Fingerprint: 0249DC644EC78D2F6B5CD2C6C94D3EDB57946437 ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community ********** Replies to EDUCAUSE Community Group emails are sent to the entire community list. If you want to reply only to the person who sent the message, copy and paste their email address and forward the email reply. Additional participation and subscription information can be found at https://www.educause.edu/community
Current thread:
- Personal VPN Policy Accessing University Applications Theodore J. August (Oct 06)
- Re: Personal VPN Policy Accessing University Applications Bandy, John (Oct 06)
- Re: Personal VPN Policy Accessing University Applications Curt Kappenman (Oct 06)
- Re: Personal VPN Policy Accessing University Applications Frank Barton (Oct 06)
- Re: Personal VPN Policy Accessing University Applications Ken Munro (Oct 06)
- Re: Personal VPN Policy Accessing University Applications Dexter Caldwell (Oct 06)
- Re: [EXTERNAL] Re: [SECURITY] Personal VPN Policy Accessing University Applications Theodore J. August (Oct 06)
- Re: Personal VPN Policy Accessing University Applications Frank Barton (Oct 06)