The purpose of this policy is to define requirements for Remote Access Virtual Private Network (VPN) connections to the Boise State network.
Approved Boise State employees and authorized third parties may use the benefits of VPNs, which are a “user managed” service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees. Further details may be found in the Remote Access Policy.
1. It is the responsibility of employees with VPN privileges to ensure that unauthorized users are not allowed access to Boise State internal networks.
2. When actively connected to the Boise State network, the VPN will force all traffic to and from the host over the VPN tunnel: all other traffic will be dropped.
3. Dual (split) tunneling is NOT permitted; only one network connection is allowed.
4. VPN gateways will be set up and managed by Boise State’s Office of Information Technology.
5. All hosts that are connected to Boise State’s internal networks via remote access must meet the configuration requirements defined in the Minimum Standard for Systems.
6. VPN users will be automatically disconnected from Boise State’s network after thirty minutes of inactivity. The user must then logon again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open.
7. Only OIT-approved VPN clients may be used.
8. By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of Boise State’s network, and as such are subject to the same rules and regulations that apply to Boise State-owned equipment, i.e., their machines must be configured to comply with Boise State Policies.
This policy applies to all Boise State employees, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties using VPNs to access the Boise State network.
All users of Boise State IT resources are responsible for compliance with this policy.
A. Non-Compliance with this Policy: Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Adapted with permission from the SANS Institute Security Policy Project.