Q:        VPN infos and ITServ policies & conditions

     VPN (Virtual Private Network) Information and ITServ’s-VPN Policies and Conditions

At this time, AIT border filtering policies do not allow VPN connections (neither incoming nor outgoing).

AIT has a very restrictive filtering policy, whose main purposes are to:

  • Protect our own users
  • Prevent abuse of our very limited and extremely expensive Internet resources

The two main issues with VPN connections are:

  • VPN connections, whatever they are, open a “tunnel” between two networks by definition. This tunnel therefore bypasses all filtering done at the border of both networks. There’s a high risk if either of the end nodes (VPN server *and* client) are allowed to route packets beyond themselves. This tunnel can be used to launch attacks. In most cases, these are due to infections by worms/viruses and not direct human-initiated attacks.
  • To limit abuse, we try to account precisely for the Internet bandwidth usage of everyone, and we redirect all web traffic to our caching proxies. They have two functions: cache data, hence save bandwidth, and enforce a blacklist of entertainment-related web sites. Obviously, all kind of traffic going over an outgoing VPN connection will bypass this redirection/filtering/caching.

ITServ’s current policy is to allow VPN connections under the following conditions:

  • For a limited period of time (possibly renewable)
  • From a very limited set of internal IP addresses (it’s difficult to justify more than 2 or 3 addresses)
  • Under the condition that the VPN clients have been properly configured to *NOT* route packets between AIT network and the target network (beyond traffic to/from the client itself)
  • If the VPN connection is not permanently opened, and that opening it requires authentication information (username & password) that is not shared to anyone and not saved in the client’s configuration
  • Given the written commitment from the user of the VPN connection that it will be strictly used for academic purposes and to access resources located on the target network only (e.g. the University you connect to) and not to other Internet resources. This usage should be low-traffic (e-mail, ordinary web access). Large downloads are to be avoided whenever possible, and not done during office hours.
Note: Large data transfers over VPN connections consume significantly more bandwidth than the same transfers over a native connection, due to the encapsulation overhead

If you can comply with these requirements, please provide:

  • The IP Address(es) *and* MAC address(es) of the clients to be allowed (they will be given a static DHCP IP to avoid problems)
  • The estimated usage period
  • The IP address of the outside VPN server you will connect to
  • The protocol details (PPTP, L2TP, IPSEC): we have this information already in your case
  • Your written acceptance of the conditions defined above

Thanks for your understanding of our common goals to provide reasonable protection and fair sharing of our resources.