VPN use policy
A page within Information Technology Services
Approved: December 16, 2005
Last Date of Review: March 14, 2014
Purpose:
Establish conditions for use of VPN access to campus resources.
Applicability:
This policy is implemented on the computers used to access campus resources with a VPN connection and will affect off campus network users.
Background:
A Virtual Private Network (VPN) connection involves running client software on a remote computer that connects over the internet to a VPN concentrator on campus. This arrangement bypasses the campus border firewall making the remote computer appear to be a computer on campus. This permits software that works on campus to work remotely. While packets passed over this connection are encrypted, if the remote computer is not secure, the campus is vulnerable to attack.
Policy:
- In order to be added to the group that is allowed to use the VPN connection the following conditions must be met:
- The remote computer must have the campus standard antivirus software installed, active, and kept up to date. The campus has a site license for this product which can be installed over the network and configured so it is kept current.
- The remote computer must be configured to automatically download and install critical updates as they come out.
- The remote computer must have a personal firewall enabled. For example, Windows XP has a built-in firewall and it must be enabled.
- Any computer being used for a VPN connection to the UWL network must be university owned and should have only the software required for University related work.
Guidelines:
VPN access is intended for ITS staff members who are, at times, required to work with critical systems while off campus. Administrators, faculty, and staff outside ITS who comply with the required security practices may also be included. The CIO has final authority in approving VPN access requests.
VPN software must be installed and configured by ITS.
Consequence of non-compliance:
Allowing VPN connections to the UWL network greatly increases its vulnerability if the remote computers are not secure due to the fact that the remote computers are treated like they are behind UWL’s firewall.
Reference:
UWL Security Study, Network Security section 2, Serial No. 2, Findings Ref. No. B.1
UWL Security Study, Documented Network Operating Procedures for Security section 2, Serial No. 4, Findings Ref. No. C.1