VPN Usage Guideline
The Carnegie Mellon Computing Policy establishes a general policy for the security of network connectivity. The purpose of this guideline is to establish acceptable practices that support the policy as it applies to Virtual Private Networking.
Virtual Private Networking (VPN) services are offered by Carnegie Mellon University Computing Services to provide secure network communication and extend local network access to offsite locations. This guideline was established to ensure that the Carnegie Mellon community has a clear understanding of proper procedure and usage. Computing Services reserves the right to modify this guideline as necessary. Any changes to this guideline will be posted to official.computing-news and will be reflected on this web page.
This guideline applies to all campus affiliates. This includes students, faculty and staff members as well as guest account holders.
Client VPN: Client VPN offers encrypted network communication via a certificate-based, locally installed VPN client software. The majority of the following guidelines apply to the Client VPN service.
Site-to-Site VPN: Where offered, site-to-site VPN provides an encrypted tunnel between various Carnegie Mellon campuses. All network traffic between the sites is encrypted. When the site-to-site VPN is down, network traffic may be rerouted over an alternate, unencrypted path. During those times, the client VPN may be used as a back-up to access services that require encrypted network communication. If a service provider on campus wants their services to only be accessible via encrypted traffic from an external campus, they should arrange this by contacting the network group (please note "VPN request" in the subject line of your mail).
The following usage guidelines have been developed for Virtual Private Networking:
- Users can download the VPN client and installation instructions from the Computing Services Software page.
- When connecting to the VPN concentrators, only VPN client software that is approved by and/or distributed by Computing Services will be supported. Some unsupported VPN clients may not work at all with our VPN servers.
- All computers (including personal computers), connected to Carnegie Mellon networks via VPN, or any other technology:
- must have the most recent versions of antivirus software provided by Carnegie Mellon installed.
- must have current operating systems and application security patches.
- Access to VPN Client connections is controlled by the use of certificates. Users must protect the secrecy of their passwords as well as the security of their certificates.
- Computing Services will make every attempt to keep the VPN services up and running. Computing Services will announce any planned outages in advance.
- Computing Services will maintain a secure-tunnel-only address range to secure application servers. Application stake-holders must evaluate their needs for a secure tunnel and alert Computing Services if their needs require the secure tunnel at all times and/or when the site-to-site VPN service is down.
User Responsibilities and Procedures
VPN users are responsible for the following tasks:
- Follow the published instructions for installing and using the VPN Client located at www.cmu.edu/computing/network/vpn/.
- Follow the instructions for deleting certificates on a timely basis.
- Follow instructions for revoking certificates on a timely basis.
- Select and maintain the secrecy of strong passwords.
- Maintain the physical security of their computers.
- Ensure that their computers are up to date with security patches and anti-virus definitions.
- Set a password on their certificate if they share a machine with another user.
- Additionally, application stakeholders and system administrators must coordinate with Computing Services to ensure that application servers that need uninterrupted network encryption are properly configured.
Last Updated: May 21, 2009
Established: May 16, 2005