MUSC VPN Policy and Procedures

Purpose and Scope

These policies and procedures apply to the use of MUSC's Virtual Private Network (VPN) service, which is one mechanism MUSC provides for authorized users to access University computing and network resources from remote locations. All other policies covering the use of University computing services by authorized users (e.g. the MUSC Computer Use Policy) are still in effect when resources are accessed from remote locations, as are all regulations (e.g. HIPAA and FERPA) which protect the confidentiality and integrity of information entrusted to the University's stewardship.

The University recognizes the need to provide secure remote access to its computing services to its students, faculty, and staff.

The University also recognizes the need to provide secure remote access to its computing services to some vendors and other business partners with which it has established specific contractual relationships. Normally these partners need access only to specific system(s) at MUSC, as required by the contractual relationship.

In all cases, a remote linkage to MUSC through MUSC's VPN service is considered an extension of the MUSC network, and is subject to all security and appropriate use policies established by MUSC.

Policy

MUSC will provide a Virtual Private Network (VPN) service as one mechanism for authorized users to access University computing and network resources from remote locations. All VPN users will authenticate to the VPN server using their MUSC Network Account (MNA) id and password. Any MUSC faculty, students, and staff may request VPN access; no additional authorization will be required. External vendors may request VPN access to enable remote support of internal MUSC systems; their access must be authorized by the administrator(s) of the internal system(s) involved.

All users of MUSC's VPN service will be required to install and securely maintain an Internet firewall and virus protection software, and to follow other sound practices to keep their VPN client system(s) secure against unauthorized access. MUSC reserves the right to audit all VPN client systems, and all communications between VPN client systems and MUSC's network, for compliance with all applicable MUSC security requirements.

Procedures

VPN User Classes

When remote access to University resources is provided through the VPN service, users will be assigned into distinct classes for purposes of reducing risk. The user's class will determine his level of access to University computing resources. The VPN service will support two different classes or types of users. Class A refers to those members of the MUSC community who are authorized to access resources throughout the internal network. Class B refers to external IT vendor support staff, who are authorized to access only those specific systems which they support on the MUSC internal network.

User Authentication

Both Class A and Class B users will authenticate to the VPN server using their MUSC Network Account (MNA) user ID and password. Class B users will need sponsored MNA accounts. When MUSC develops the necessary PKI infrastructure, users will be required to use a two-factor authentication (i.e. require both a valid MNA user ID and password, and a valid X.509 certificate issued specifically for VPN authentication).

Authorized Users

Any MUSC student, faculty or staff may request Class A VPN access. For non-sponsored MNA account holders, no additional authorization or justification is needed, but the requester must agree to all security requirements applying to Class A users (see below). All Class A users will be assigned to an access control group which grants unrestricted visibility to all resources on the internal network. Each Class B user will be assigned to an access control group, which grants visibility only to the specific system(s) he has been authorized to access.

While a sponsored MNA account holder may request a Class B account in order to access a specific target systems on MUSC's Internal Network, the administrator of the target system must first authorize access through the VPN for the specific Class B account holder, before the requested access will be granted.

Security Requirements for Users

Class A users are required to install and securely maintain an Internet firewall to protect the client system(s) they use to access the VPN Server. Users are also required to maintain current virus protection software, and to follow other sound practices to keep their VPN client system(s) secure against unauthorized access. In addition, the VPN client software will be distributed with split tunneling disabled, and users are prohibited from circumventing this security feature.

Class B users are subject to the same client security requirements as Class A users, and are generally subject to additional security requirements, as described in any applicable policies (e.g. Partner Connection Policy, Chain of Trust Agreements, etc.).

MUSC reserves the right to audit all VPN client systems, and all communications between VPN client systems and MUSC's network, for compliance with all applicable MUSC security requirements.

VPN Access Request

The on-line request process for VPN Access, for both Class A and Class B users, can be found on the CCIT website here.

VPN Authorization Request

Any MUSC system administrator who needs to request authorized access to one or more specific servers on the internal network, by one or more specific Class B user accounts, should send a request to security@musc.edu.

MUSC Network Accounts

Procedures for obtaining an MUSC Network Account (MNA) are documented on the CCIT web site here.

Anti-Virus Software

MUSC maintains a site license for anti-virus software. The terms of this license permit use by all MUSC students, faculty and staff, on both University-owned and personally-owned systems. Software is available for both Windows and MacOS operating systems on the CCIT web site here.

Firewall

Acquisition, installation and maintenance of a suitable firewall (hardware or software) to protect the remote (VPN client) system is the responsibility of the VPN user. At its sole discretion, MUSC may elect to provide a software firewall with the VPN client software. If such MUSC-provided firewall software does not prove satisfactory to the VPN user, the user must implement some other suitable firewall (hardware or software) prior to disabling or removing the MUSC-provided firewall software.



CCIT Home Page      Provide Feedback to webmaster
$Id: vpn-policy.html,v 1.6 2004/08/24 18:53:34 gadsden Exp gadsden $