Capital College --- Virtual Private Network (VPN) guideline: CL–VPN

Capital College --- Virtual Private Network (VPN) guideline: CL–VPN–01

1.0 Purpose

The purpose of this guideline is to provide guidelines for Remote Access IPSec Virtual Private Network (VPN) connections to the Capital College University network.

2.0 Scope
This guideline applies to all Capital College employees, contractors, consultants, temporary personnel, and other workers including all personnel affiliated with third parties utilizing VPNs to access the Capital College network. This guideline applies to implementations of VPNs that are directed through an IPSec Concentrator. The Capital College has two VPN services: VPN Concentrator provided by Information Technology Services and VPN Server at Penn State Harrisburg provided by IIT.

3.0 guideline
VPNs provide a method of encrypting data traffic when using an external Internet Service Provider (ISP) or wireless access points. Capital College employees and authorized third parties (customers, vendors, etc.) may utilize the benefits of VPNs. Further details may be found in the Remote Access guideline and Wireless Communication guideline

Additionally,

a) It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to the Capital College internal networks.

b) VPN use is to be controlled using either a one-time password authentication such as a token device or a public/private key system with a strong passphrase. Further details may be found in the Password guideline.

c) VPN gateways will be set up and managed by the Capital College IIT System Administrators.

d) All computers connected to the Capital College internal networks via VPN or any other technology must use the most up-to-date anti-virus software available.

e) Users of computers that are not Capital College-owned equipment must configure the equipment to comply with the Capital College's VPN and Network policies.

f) Only IIT-recommended VPN clients may be used.

g) By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of the Capital College's network, and as such are subject to the same rules and regulations that apply to the Capital College-owned equipment, i.e., their machines must be configured to comply with College Security Policies.

4.0 Enforcement
Any employee found to have violated this guideline may be subject to disciplinary action by their Administrative unit, the College, or the University.

5.0 Definitions

6.0 Revision History

3/6/2004 - wjb

Last updated: 21 January 2005, ryb2