InfoSec Virtual Private Network _VPN_ Policy by jizhen1947


									 Secure Socket Layer Virtual Private Network (SSL VPN) Usage and Policy
1.0 Purpose
The purpose of this policy is to provide guidelines for Secure Sockets Layer Virtual Private
Network (SSL VPN) connections to the CCSF network. ANY USER WHO DOES NOT AGREE

2.0 Scope
This policy applies to all CCSF employees, contractors, consultants, temporaries, and other
workers including all personnel affiliated with 3 party utilizing SSL VPNs to access the CCSF.
This policy applies to implementations of VPN that are directed through an SSL VPN gateway.

3.0 Policy
Approved CCSF employees and authorized 3 party (customers, vendors, etc.) may utilize the
benefits of VPNs, which are a "user managed" service. This means that the user is responsible
for selecting an Internet Service Provider (ISP), coordinating installation, installing any required
software, and paying associated fees.

   1. It is the responsibility of employees with SSL VPN privileges to ensure that unauthorized
        users are not allowed access to CCSF internal networks.
   2. SSL VPN use is to be controlled using either an authenticated password of 8 characters
        (1e0yea21) or more or a strong pass phrase password (my dog ate the cat).
   3. When actively connected to the college network, SSL VPNs will force all traffic to and
        from the PC over the SSL VPN tunnel: all other traffic will be dropped.
   4. Dual (split) tunneling is NOT permitted; only one network connection is allowed.
   5. SSL VPN gateways will be set up and managed by CCSF ITS network group.
   6. All computers connected to CCSF internal networks via SSL VPN or any other
        technology must have the most up-to-date updates, patches and hotfixes for the
        computer operating system used; this includes personal computers.
   7. All computers connected to CCSF internal networks via SSL VPN or any other
        technology must use the most up-to-date anti-virus software that is the college standard
        (; this includes personal computers.
   8. All computers connected to CCSF internal networks via SSL VPN or any other
        technology must use the most up-to-date anti-spyware software (Spy Sweeper, Ad-
        Adware, Spybot); this includes personal computers.
   9. All computers connected to the CCSF internal networks via SSL VPN or any other
        technology via wireless network. Wireless network must be secure by some type of
        encryption (WEP,WPA1/2,PEAP) to protect the data transaction between the remote
        computer and the college network.
   10. SSL VPN users will be automatically disconnected from CCSF network after 5 minutes of
        inactivity. The user must then logon again to reconnect to the network. Pings or other
        artificial network processes are not to be used to keep the connection open.
   11. The SSL VPN gateway is limited to an absolute connection time of 24 or less hours.
   12. Users of computers that are not CCSF owned equipment must configure the equipment
        to comply with CCSF VPN and Security Policies.
   13. SSL VPN access requests may be restricted or limited due to system capacity limitations.
   14. The remote systems access provided by this service is not an authorization of overtime
        and the associated compensation. All overtime requests must be approved individually by
        a supervisor.
   15. This VPN usage policy is not to be interpreted as a telecommute policy for CCSF.

4.0 Enforcement
Any employee found to have violated this policy may have their VPN access terminated and be
subject to additional disciplinary action per the CCSF Computer Usage Policy.

5.0 Definitions
Term                    Definition
Extranet                A catchphrase that refers to an intranet that is partially accessible to
                        authorized outsiders. Whereas an intranet resides behind a firewall and
                        is accessible only to people who are members of the same company or
                        organization, an extranet provides various levels of accessibility to
                        outsiders. You can access an extranet only if you have a valid username
                        and password, and your identity determines which parts of the extranet
                        you can view.
SSL VPN Gateway         A device in which VPN connections are terminated.
Web Browser             Software application used to locate and display Web pages. Graphical
                        browsers, which means that they can display graphics as well as text. In
                        addition, most modern browsers can present multimedia information,
                        including sound and video, though they require plug-ins for some
                        formats. Popular browsers are Internet Explorer, Netscape and Safari.

6.0 Violation of
Acceptable Use Policy
                        The ITS Department reserves the right to investigate suspected
                        violations of this Policy, including the gathering of information and the
                        examination of network traffic from the user's machine.
                        The ITS department has to the right to disable SSL VPN access and
                        user accounts with or without notice if security issues appear to
                        compromise the CCSF internal network resources. The ITS Department
                        may disable a user's access to the Extranet Network if they violate the
                        terms set forth in this Policy. Faculty or Staff caught hacking will be
                        referred to Human Resources for disciplinary action. Outsiders or
                        Consultants caught hacking will be referred to the police or other law
                        enforcement agency for criminal prosecution and penalties.

7.0 Non-Supported Items
                     Information Technology Services (ITS) does not support any personal
                     computers, hardware and software that does not officially belong to the
                     CCSF. Also, CCSF does not support any external Internet Service

8.0 Revision History
2/13/2006               Benton Chan, Version 1.3
4/21/2005               Tim Ryan, Version 1.2
2/14/2005               Benton Chan, Version 1.1

Name: ________________________________________ Phone: (      )__________________
Email: ________________________________________  Faculty  Staff  Consultant
Requester Signature: __________________________________________________________
W00# ID: ____________________________________________________________________
Department: _____________________ Department Manager: __________________________
Building: _________________________________________ Room: ______________________

Department Signature: _______________________________ Date (mm/dd/yy): ____________
Access Type (Check options that correspond to your job function):
 Internet Native Banner (INB)
 For Server and Software Application IT Support by IT Staff or IT Consultants. Specify access
details: ______________________________________________________________________
 Other_____________________________________________________________________
NOTE: Access request may be denied due to ITPC or ITS policies.


To top