Longwood University     Chief Information, Technology, and Facilities Officer:     Information and Instructional Technology Services   201 High Street, Coyner 107, Farmville, VA  23909    Phone: 434.395.2034         Fax: 434.395.2035

 Policy 6123
VIRTUAL PRIVATE NETWORK (VPN) POLICY

I.     PURPOSE

The purpose of this policy is to provide guidelines for remote access Virtual Private Network (VPN) connections to Longwood University networks.

II.    DEFINITION

IPSec Concentrator:   A device in which VPN connections are terminated.

User Authentication:   A method by which the user of a wireless system can be verified as a legitimate user independent of the computer or operating system being used.

III.   POLICY

This policy applies to all Longwood authorized individuals including all personnel affiliated with third parties utilizing Longwood’s VPNs to access the Longwood network.  This policy applies to implementations of VPN that are directed through an IPSec Concentrator.  Authorized users are also responsible for selecting their own Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees for the services rendered by the selected ISP in order to connect to the Internet and benefit from the VPN.

A.  Additionally:

1.  It is the responsibility of those authorized users with VPN privileges to ensure that unauthorized users are not allowed access to Longwood University networks.

2.  VPN use is to be controlled using:

a.  Either a one-time password authentication such as a token device or a public/private key system with a strong passphrase and

b.  Strong user authentication which checks against an external database such as TACACS+, RADIUS, LDAP, or something similar and is maintained by IITS.

3.  When actively connected to the Longwood network, VPNs will force all traffic to and from the client over the VPN tunnel: all other traffic will be dropped.  Except in the case of split tunneling (see #4).

4.  Split tunneling is NOT permitted; only one network connection is allowed unless granted by an exclusive waiver, in writing, by the Information Security Office.

5.  VPN gateways will be configured and managed by the Information Security Office in cooperation with the CTS group.

6.  All computers, whether owned by Longwood or not, connected to Longwood networks via VPN must:

a.  Use the most up-to-date anti-virus software that is the campus standard
(www.longwood.edu/helpdesk/software_library/library.htm).

b.  Use either enterprise or personal firewall technology.

c.  Have the latest security-related software patches/fixes installed.

7.  Pings or other artificial network processes are not to be used to bypass inactivity time limits in order to keep VPN connections open.

8.  Only VPN clients approved by the Information Security Office can be used.

a.  Users should be aware that these clients may use encryption technologies protected by U.S. Government export restrictions.  Further details may be found in the Acceptable Encryption Policy.

9.  By using VPN technology with equipment not Longwood-owned, users must understand that their machines are a de facto extension of Longwood University's network, and as such are subject to the same policies and procedures that apply to Longwood University-owned equipment,  i.e., their machines must be configured and used in compliance with all IITS computer related policies. Such policies include, but are not limited to, the Acceptable Use of Information Technology Resources and Systems Policy.

B.  Violations:  The University regards any violation of this policy as a serious offense. Violators of this policy are subject to disciplinary action as prescribed in the Longwood University Honor Code, the Student Handbook and the Administrative Policies and Procedures Manual, in addition to possible cancellation of information technology resources and systems access privileges.  Users of information technology systems and resources at Longwood are subject to all applicable local, state and federal statutes. It should be understood that this policy does not preclude prosecution of criminal and civil cases under relevant local, state, federal, and international laws and regulations.

Approved by the Board of Visitors, March 20, 2004.

Revised and approved by the Board of Visitors, September 15, 2006.

Back to the Table of Contents                                                                               Next Policy