Carnegie Mellon University

VPN Usage Guideline

Purpose

Virtual Private Networking (VPN) services are offered by Carnegie Mellon University Computing Services to provide secure network communication and extend local network access to offsite locations. This guideline ensures the Carnegie Mellon community has a clear understanding of proper procedures and usage. Computing Services reserves the right to modify this guideline as necessary.

Applies to

Students, faculty, staff and those with sponsored, guest or courtesy accounts.

Definition/Clarification

  • Client VPN: Client VPN offers encrypted network communication via a certificate-based, locally installed VPN client software. The majority of the following guidelines apply to the Client VPN service.
  • Site-to-Site VPN: Where offered, site-to-site VPN provides an encrypted tunnel between various Carnegie Mellon campuses. All network traffic between the sites is encrypted. When the site-to-site VPN is down, network traffic may be rerouted over an alternate, unencrypted path. During those times, the client VPN may be used as a back-up to access services that require encrypted network communication. As a campus service provider if you want your services to be accessible via encrypted traffic from external campus, contact Computing Services. Note "VPN request" in the subject line.

Guideline Statement

  • The VPN client is available for download from the Computing Services Software page.
  • When connecting to the VPN, only VPN client software that is approved by and/or distributed by Computing Services will be supported. Unsupported VPN clients may not work with our VPN servers.
  • All computers (including personal computers), connected to Carnegie Mellon networks via VPN, or any other technology:
    • must have the most recent versions of antivirus software provided by Carnegie Mellon installed.
    • must have current operating systems and application security patches.
  • Access to VPN Client connections is controlled by the use of certificates. Protect the secrecy of passwords as well as the security of their certificates.
  • Computing Services will make every attempt to keep the VPN services up and running. Computing Services will announce any planned outages in advance.
  • Computing Services will maintain a secure-tunnel-only address range to secure application servers. Application stake-holders must evaluate their needs for a secure tunnel and alert Computing Services if their needs require the secure tunnel at all times and/or when the site-to-site VPN service is down.

Responsibilities and Procedures

  • Follow the published instructions for installing and using the VPN Client.
  • Follow the instructions for deleting certificates on a timely basis.
  • Follow instructions for revoking certificates on a timely basis.
  • Select and maintain the secrecy of strong passwords.
  • Maintain the physical security of computers.
  • Ensure that computers are current with security patches and anti-virus definitions.
  • Set a password on the certificate on shared computers.
  • Additionally, application stakeholders and system administrators must coordinate with Computing Services to ensure that application servers that need uninterrupted network encryption are properly configured.