VPN Activity Review A growing service which should be fully supported by Computing Services

1
VPN Activity ReviewA growing service which
should be fully supported by Computing Services

• January 2006

2
Service Goals

• Provide Network Layer Traffic Encryption
• For use with Services which lack applications
  layer encryption
• For use where the possibility of eavesdropping
  on network traffic is high
• Off campus remote access to services
• Campus wireless network access to services
• On Campus access where wired network security is
  questionable (as need is determined by ISO)

3
Service Goals

• For use in accessing restricted VLANs
• A100, FMS, ACISVLAN plans
• For use as a method to bypass port blocks on
  campus border during security incidents
• Not primary goal
• A work around which is useful to some

4
Service Support Statement

• Primary Support Contact
• The provider of the service that requires VPN use
• Computing Services Support
• Will help administrators to resolve issues
• Will Provide best effort for off-campus support
  issues
• Statement
• http//www.cmu.edu/computing/documentation/support
  _vpn/vpn_support.html

5
Service Characteristics

• Encrypted IPSEC Tunnels
• Using strong encryption (AES/3DES)
• Mutual Authentication
• Using 1024 bit X.509 Certificates
• Off Campus Service
• Off Client registration identity

6
Service Characteristics (cont.)

• End Points
• A84 Service Subnet
• On and Off campus Windows and Mac clients
• Audit log
• Client Registration
• Certificate issuance/revocation
• Client tunnel utilization
• Client remote address

7
Service Software/Hardware

• CISCO Client Software
• Windows
• Mac
• Linux (unsupported but available)
• CISCO 3030 VPN Concentrator
• Two 3030s located in A84 machine room
• WEBSSL also provide by 3030s

8
Service Software/Hardware (cont.)

• Network Registration System
• Registration Support for VPN virtual subnets
• Network Certificate Service
• X.509 Certificate issuance and revocation
• X.509 CRL issuance
• Appears to use as part of Network Registration
  System

9
Is the Service Unique? No

• CMU CS SEI (PKI)
• Dartmouth (PKI)
• University of Virginia (PKI)
• Duke
• Georgetown in Qatar
• Harvard
• MIT
• New York University
• Pennsylvania State University
• ULCA Berkeley
• Rice University
• Oregon State University

• University of Colorado Boulder
• University of Delaware
• University of Michigan
• University of Minnesota
• University of Southern California
• University of Texas at Austin
• University of Wisconsin
• University of Chicago
• Colorado State University
• University of Florida
• UC Irvine
• Seattle University

10
VPN Usage Totals
11
VPN Sessions by Department
12
VPN Clients by Department
13
VPN Hours by Department
14
User Mechanics/Experience

• Download VPN client and instructions
• https//www.cmu.edu/myandrew/
• Register client and create/download certificate
• https//netreg.net.cmu.edu/
• Install client software on machine
• Install certificate
• Edit connection profile
• Use it

15
VPN Support Process

• Currently DSP, ACIS, other department support
  groups are handling First Level Support
• Help Center has handled some First Level Support
• Second Level Support has been handled by Network
  Development Group.
• Limited Consulting has been done by ISAM for DSP

16
VPN Support Process (cont)
Help Center Remedy IncidentsMarch 2005 through
November 2005

• CISCO VPN Client
• 1 Accounts
• 33 Setup
• 16 Usage
• 50 Total

• IP Address Extension
• 4 Accounts
• 77 Setup
• 39 Usage
• 120 Total

Note IP Address Extension statistics shown for
comparison purposes
17
VPN Support Issues

• Road Warrior Usage Problems
• User may need to try both TCP and UDP
  configurations
• Due to ISP configuration issues
• Some ISPs NAT policies do not permit VPN traffic
• Some ISPs filter policies do not permit VPN
  traffic
• Some Conflicting use of private (RFC1918)
  addresses

18
VPN Support Issues (cont.)

• Many Novice Users are not able to follow the
  installation instructions. It is a little too
  technical for some.
• There have been cases related to the Windows XP
  Firewall with the installation and use of the
  software. We have found mixed information on this
  from CISCO and other sources. We are
  investigating further.

19
VPN Support Issues (cont.)

• The Andrew Domain Design has caused some issues
  in regards to certain configurations. They
  include User Profile Use, Folder Redirection,
  Home Folder Creation
• These are specific to Department Group Policy
  Design
• DSP Results from Windows Domain Configuration
  Issues
• Removed User Profile Use from Domain Users
• Are phasing out Folder Redirection for Domain
  Users
• Removed the Home Directory Configuration
• Migrated to Login Scripts with a Mapped Drive
  Configuration like used in many businesses

20
CISCO VPN Support Issues

• CISCO 3030 support
• Multiple firmware image upgrades
• To resolve WEBSSL java problems
• To resolve WEBSSL crashing problems
• CISCO client software support
• Multiple client software upgrades
• Has resolved some problems
• Currently two documented bugs that are not fixed
  both related to Disconnect problems
• Lack of understanding of related windows
  configuration issues

21
Expected Service Growth

• ACIS has phased out internal VPN service
• IP Address Extension Service phase out plans
• Departmental Needs Appearing to Grow
• ISO and others see growing need for service
• ISAM use for A100 service subnet plans
• FMS/ACIS access to private VLANS

22
Future Support Needs

• Network Development/Engineering
• Ongoing support of the concentrator
• Ongoing Client Support
• ISAM
• Operating system specific support
• Windows Firewall
• Active Directory GPO settings
• Escalation of installation issues from Help
  Center for Windows and MAC

23
Future Support Needs (cont.)

• ACIS
• Application specific support related to products
• Connection issues documented related to servers
• ISO
• Security related issues pertaining to the VPN
• Oversight as to when the VPN should be used and
  the security benefits it provides

24
Future Support Issues

• VPN Service Support Issues Summary
• VPN Service is needed by some
• VPN Service is expected to grow
• VPN Service needs more complete support within
  Computing Services to be a fully supported
  service
• CISCO needs to be pushed on support problems
• Alternative solutions need investigating

25
Questions?