The importance of an effective VPN security policy

Is split tunneling required?

Creating VPN Policies
Managers may not assign or encourage the use of group login credentials through which more than one individual may access the systems under single user identity. Click here for information on financially supporting T2P projects. BeyeNETWORK provides resources and professional community support for business intelligence, performance management, data warehousing, data integration and data quality. Covered Organization ] must ensure that the external device is configured in compliance with [ variable: Anyone found to have violated this Policy may have their network access privileges temporarily or permanently revoked. It is the responsibility of the employee with VPN privilege to ensure that unauthorized users are not allowed access to the NC State network. ITS reserves the right to configure the VPN concentrator to limit connection times to normal business hours or as determined by demonstrated need.

Set a Schedule for the Policy Template

VPN Acceptable Use Policy

If you have a group of individual users with PC's or laptops and a software VPN client, you may not have as much control as you would like. On the other hand, if you have a group of computers connected through a hardware VPN device, you have a great deal of security control over what those users can do through that device.

Of course, some devices have more features and security than others. This is very insecure and not recommended. So, if you are in control of how this will work, you should find some way to disable split tunneling, if it is at all possible. It would be ideal to use a dedicated VPN hardware device on each side of the VPN tunnel but this is not always financially possible or convenient for a roaming laptop user. Along the same lines, will you have a dedicated VPN server?

It is always recommended to use a separate devices for VPN connectivity vs the firewall. You want your remote users who are connecting to your central network to have the same security measures in place as the regular users in your office. Examples of security measure are:. Preferably, users' systems that do not meet the software security requirements from the last question will be granted access to the VPN but sent to a VPN quarantine network where all they can do is receive updates for their system.

This feature is called quarantining. A RADIUS server is a software application that runs on a server that has access to all users in the domain typically a Windows domain controller.

If the users' username and password are correct AND that user has "dial-in" access granted they will be allowed access to the VPN. Authorization is allowing certain users or groups of users to certain "things".

Those "things" could be networks, protocols, TCP port numbers, or servers. It could also involve only allowing access from certain machines and for certain time periods. Accounting is the logging of, in this case, what the VPN user accesses, when they access it, and when they log off. There is no guarantee that that person is really who they say they are. With two-factor authentication, the user is assigned something that is unique to them.

Use of the VPN is subject to [ variable: Covered Organization ] Acceptably Use policies for Internet use, e0mail, and any other traffic over the protected connection. VPN users must ensure that any computer through which they access the VPN including personal computers, if applicable are provisioned with and running antivirus software. Antivirus software should be consistent with the corporate standard and reflect the latest available updates.

Any user who accesses the [ variable: Covered Organization ] internal network through the VPN from a personal computers or any other computer that is not owned by [ variable: Covered Organization ] must ensure that the external device is configured in compliance with [ variable: Covered Organization ] VPN and network access policies. Access and authentication The VPN is a secure system.

VPN access must be controlled through a user authentication mechanism. Users may not share their VPN login credentials and should take all reasonable efforts to avert accidental disclosure of login credentials. Managers may not assign or encourage the use of group login credentials through which more than one individual may access the systems under single user identity. Users may not employ artificial processes to keep VPN connection open during idle periods longer than [ variable: Time frame ] Only approved clients may be used for VPN access to internal networks.

Unapproved and user-created VPN connections will not be permitted on the internal network. Covered Organization ][ variable: Operational group responsible for VPN configuration and management ].

The VPN must be configured to automatically disconnect after [ variable: This deployment lets the satellite Security Gateways connect to the internal network of the central Security Gateway.

The internal network object is named: The General page of the Star Community Properties window opens. The Add this Gateway to Community window opens. This automatic rule allows all encrypted packets that are sent between hosts or clients in the specified VPN community. Note - This automatic rule can apply to more than one VPN community. The Action , Track and Time columns are not shown. The first rule is the automatic rule for the Accept All Encrypted Traffic feature.

Traffic to the Security Gateways is dropped. This rule is installed on all Security Gateways in these communities. These are the only protocols that are allowed: This section explains how to use a VPN tunnel to connect a client-based remote computer to an internal network. For more about using Mobile Access to connect remote devices to internal resources, see Remote Access to the Network.

These are some examples of connectivity challenges:. Office Mode solves these routing problems and encapsulates the IP packets with an available IP address from the internal network. Remote users can send traffic as if they are in the office and do not have VPN routing problems.

Visitor Mode lets these users tunnel all protocols with a regular TCP connection on port

Use QoS Marking in a Policy Template

Virtual Private Network (VPN) Policy Free Use Disclaimer: This policy was created by or for the SANS Institute for the Internet community. All or parts of this policy can be freely used for your organization. There is no prior approval required. If you would like to contribute a new policy or. This policy regulates the use of all VPN services to the NCSU network and users must comply with the Computer Use Regulation. To maintain security, VPN services will be terminated immediately if any suspicious activity is found. Virtual Private Network (VPN) Policy Any machine, personal or otherwise externally owned or operated, that connects to the [ variable: Covered Organization ] network through the VPN is considered a facto extension of network and is subject to the same standards and rules that cover company-owned equipment.