Vendor VPN Groups and LDAP Accounts

Overview

A virtual private network (VPN) is a private communications network used by companies or organizations to communicate confidentially over a public network. VPN traffic travels over a public networking infrastructure (e.g. the Internet) on top of standard protocols or over a service provider's private network with a defined Service Level Agreement (SLA) between the VPN customer and the VPN service provider. A VPN can send data (e.g. voice, data or video, or a combination of these media) across secured and encrypted private channels between two points.

VPN Groups provide granular user access to secured segments of the campus network for remote users.  There are three types of VPN Groups used on campus, General, Management and Vendor.

General VPN Groups

The General VPN Group allows campus end-users to access campus services from remote locations over a secure connection.  The resources available to the General VPN Group include the campus file and print server, departmental shares and Intranet resources.  All students, faculty and staff accounts can be used to create a VPN connection in this general group. 

Best Practice

  • Use secure VPN tunnel to access campus resource that are unavailable off campus (e.g. file shares on bay.)
  • Do not use to perform system administrative tasks through the General VPN Group.
  • Do not enable split tunneling while connecting to the campus using the VPN.

To get additional information and the campus Cisco VPN client software client click here.

Management VPN Groups

Vendor VPN Groups

There are two types of Vendor VPN Groups, Dedicated and Project.  The Dedicated VPN Vendor Group allows access to a specific vendor to a specific server or group of services over a long period.  Project VPN Vendor Groups allow short-term access to a specific server or group of services.  The Information Security Office manages the creation of both types of Vendor VPN Groups.  Departments working with vendors on projects lasting longer than one year where access is required more than three times a year are eligible to request a Dedicated VPN Vendor Group.  The Information Security Office assigns Project VPN Vendor accounts on a per project basis for the duration of the project.  Departments working with vendors who require a Project VPN account must request one from the Information Security Office.  Requests for Dedicated VPN Vendor Groups must include:

  • Campus Sponsor
  • Identify vendor user(s)
  • Verify vendor has signed confidentiality and acceptable use policies
  • Total anticipated concurrent users
  • Frequency of use
  • Target servers
  • Document the business need

As Vendor VPN Groups allow access to secure segments of the campus network, sharing of VPN account information is a violation of the campus acceptable use policy.

Best Practice

  • Protocols used to perform administrative tasks are restricted to a defined group of trusted IPs with the host firewall. 
  • VPN account information is not shared.
  • Do not enable split tunneling while connecting to the campus using the VPN.

Contact the Help Desk at x6000 to request a Management VPN group or if you have questions.

Vendor LDAP Accounts

Vendors will also need a campus LDAP account to authenticate onto the campus network.  The Information Security Office manages the creation of these accounts.  Request for VPN LDAP Accounts must include:

  • Campus Sponsor
  • Identify vendor user(s)
  • Provide vendor contact e-mail
  • Verify vendor has signed confidentiality and acceptable use policies
  • Identify if VPN access will be required on and/or off campus

As Vendor LDAP Accounts allow access to secure segments of the campus network, sharing of account information is a violation of the campus acceptable use policy.

Best Practice

  • Accounts are one-to-one; one account to one user.
  • Strong passwords must be used.
  • The campus sponsor will contact the Information Security Office to disable the vendor account when no longer needed.
  • The system administrator has a procedure for closely monitoring vendor access.

Contact the Help Desk at x6000 to request a Vendor LDAP Account or if you have questions.