Usage of the NU SSL VPN

Audience:

  • All NU faculty
  • All NU staff, both permanent and temporary
  • All contractors, vendors, guests and any others (including 3rd parties) requiring remote access

Purpose:

It is Northwestern University’s intent to initially offer SSL VPN access for those departments/users that need specific access to services where a granular level of user access control and/or application control is necessary. In particular, the SSL in intended to provide authenticated/encrypted access to restricted resources such as the administration of departmental servers, administrative systems and applications, and/or systems that house sensitive information. The resources should not be available from the general Internet and need to be clearly identified.

The SSL VPN offers remote access using a web browser over SSL (Secure Socket Layer) and does not require client side software (unless full traditional VPN-like access is required, in which case the Network Connect client is required). An additional benefit to the implementation of SSL VPNs is the ability to grant access to specific resources based on group membership as defined by the master University LDAP directory.

Further benefits include split tunneling of traffic for more efficient use of bandwidth and allocation of specific client IP address pools for specific groups of users that can be combined with the use of firewall rules to provide very granular access controls.

Policy Statement:

The SSL VPN shall be used as the only alternate means of remote access (other than the approved traditional VPN) for specific departments/users that require granular user and/or application access controls that are controlled through LDAP directory group membership.

The SSL VPN should be viewed as a separate, and at most complementary, service to the benefits provided by the web SSO (Single Sign-On) service. The SSL VPN is not a replacement for the SSO service.

Scope

The SSL VPN service is offered to those departments and users that require specific access controls or clientless access not offered by the traditional NU VPN service. Departments should consult with NUIT (at consultant@northwestern.edu) to determine if the SSL VPN is appropriate for their application(s).

Examples of where an SSL VPN would be preferred and/or required are as follows:

Recommended uses for the SSL VPN over the traditional VPN

  • For traveling users who may experience VPN connection issues due to traffic filtering, NAT, or other remote network issues
  • For backup purposes for NU administrators who typically use traditional VPN connections
  • For potentially high-bandwidth applications that do not need to traverse a VPN tunnel to reduce bandwidth consumption through the implementation of split tunneling
  • For potentially sensitive data browsing (for supported clients, the SSL VPN can sandbox the client session and/or clean cache and temporary files up after the VPN connection is terminated) via the Web Proxy feature of the SSL VPN
  • For any high-risk users/computers that may be suspected of having malware (as the malware cannot browse to the mounted server volume/share via the VPN connection) via the Web Proxy feature of the SSL VPN

Inappropriate uses for the SSL VPN

  • Applications that connect to a large number of dynamic destination addresses that cannot be easily defined
  • Applications that are in use by a large number of users who cannot be easily grouped/defined within the directory
  • Applications that have no access restrictions

NOTE: Required uses for the SSL VPN follow in Section 9, “Standards”

Definitions

  • The SSL VPN shall be used as the only alternate means of remote access (other than the approved traditional VPN) for specific departments/users that require granular user and/or application access controls that are controlled through LDAP directory group membership.
  • The SSL VPN should be viewed as a separate, and at most complementary, service to the benefits provided by the web SSO (Single Sign-On) service. The SSL VPN is not a replacement for the SSO service.

Standards

  1. Custom LDAP attributes will be reviewed and created for groups of users as needed, upon review by NUIT, based on the needs of the end users requesting SSL VPN remote access. One or more local administrators from the group will be designated as “controlling” members of the group and will be responsible for managing group membership.
  2. NUIT reserves the right to remove users from the LDAP directory groups that control access to SSL VPN. Users who have been removed and later determine they need access may request they be given access again.
  3. There are three levels of connectivity: Clientless web proxy, port forwarding and full tunnel client (which requires admin access and IP address allocation). These levels allow for varying levels of security (e.g. sand-boxing, access control, etc) and will be implemented by NUIT on a case-by-case basis when access via the SSL VPN is configured.
  4. Required uses for the SSL VPN over the traditional VPN
    • For vendors that need VPN access to NU resources
    • For applications that require specific access to a particular host (or set of hosts) and/or specific ports on those hosts
    • For special users for which custom LDAP attributes and permissions have been created and which require enforcement
    • For cases where granular time/data/source IP access control is required
    • For cases where significant high-bandwidth applications that do not need to traverse a VPN connection are in use

Procedures

Individual business units are responsible for the development, documentation and implementation of applicable procedures to effectuate this policy. Procedures are subject to review by NUIT.

Guidelines

Note that all network activity while connected to the traditional or SSL VPN is subject to the University’s normal acceptable use policies.

Compliance

All parties as delineated under Audience are required to comply with this policy.

Individuals who discover or strongly suspect the violation of this policy must promptly notify their management and any of the following:

Request Process

Any request for SSL VPN access should be submitted to NUIT at consultant@northwestern.edu using the form described in SSL VPN Access Request - Appendix A. NUIT will coordinate requests for access and contact the requestor, data steward and other authorities as deemed appropriate for consideration and discussion of the access request. Request forms must be completed fully; incomplete forms will be returned without processing. Requestors will be provided with a decision within ten (10) working days from receipt of the completed request.

Satisfies ISO 27002 11.7.2

Last Review Date:

December 2013

Original Issue Date:

June 2007

Revision Dates:

September 2011

August 2011
December 2009
March 2009

Related Policies: