Best Practices for Using the Campus VPN

Introduction

“If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees.” – Khalil Gibran

Access Issues

Access to campus resources from off-campus (for example, someone working at home) presents a number of issues related to maintaining a secure and available campus network environment. For one thing, there are a number of protocols and applications that we strictly block at the campus border routers, due to the strong possibility of major attacks and worm intrusion. These include a number of network management and Microsoft file system applications. It is quite likely that other protocols and applications will be blocked at the border in the future.

Another issue has to do with all of the possibilities there are for non-friendly eavesdroppers picking up any sensitive information that you send in the clear between your off-campus location and the on-campus destination.

Detailed Explanation

The mechanism that we strongly recommend to deal with both of these issues is to take advantage of the campus VPN (Virtual Private Network) appliance. The VPN does two things: it gives Onyen-authenticated users a UNC-Chapel Hill IP address for traffic from your off-campus computer to campus and it sets up a tunnel that encrypts that traffic. The important thing about that tunnel is that it bypasses those protocol and application filters at the border router, so VPN users can utilize network management, remote desktop, and Microsoft file system applications.

VPN

The primary/preferred client for use of the current VPN hardware is the AnyConnect client that gets installed on the off-campus computer. The information that you need to obtain and configure this VPN client to utilize the campus VPN service can be found at http://help.unc.edu/help/vpn-installation-and-clients/. You may also want to check http://help.unc.edu/?s=vpn to find other resources on the VPN.

Key Points

A number of other points to keep in mind concerning the VPN:

1. Use of the VPN can allow for tighter firewall rules on servers, by allowing administrators to specify that they only want to allow campus address space.

2. This is especially valuable when using your laptop to access campus resources from off-campus in a coffee shop or other location with a public wireless (i.e. eavesdrop nirvana) network

3. The VPN utilizes a “split-tunneling” mechanism so that only your traffic back to the campus is sent within an encrypted tunnel and with a campus IP address; all non-campus destined traffic follows the normal path through your ISP

4. The current statistics concerning VPN usage (number of concurrent users, bandwidth utilization) can be found here by clicking on the VPN cloud and on the link to that cloud as you can see on those pages.  On a device that can support 10,000 concurrent users, we rarely see more than 800 at any time and rarely have more than 400 Mb/sec over the 10Gb/sec link.

Conclusion

We strongly encourage anyone accessing campus IT services from off-campus to take advantage of the VPN capabilities, both for your protection and for ours. If you have questions about using the VPN, please contact the ITS Response Center at 962-HELP or check the above help.unc.edu resources.

“Wisdom consists in being able to distinguish among dangers and make a choice of the least harmful” – Machiavelli

Jim Gogan, Information Technology Services (ITS)