Virtual Private Network Policy
This policy sets out the requirements for the use of the CIS Virtual Private Network (VPN) by authorised users.
This policy applies to all full and part-time employees, postgraduate researchers, partners, collaborators, visitors and support organisations that have been authorised to use the VPN to connect to the University’s network to access resources.
Use of the VPN requires an internet connection and compatible operating system, software and browser. The Managed Desktop Service (MDS) and other University devices will be supported by the University IT Service Desk or relevant University IT representatives. Installation on non-University devices is the responsibility of the user, although CIS will assist on a good-will basis where possible. Similarly, devices not listed as compliant by the VPN manufacturer may not function correctly and therefore may not work.
- Access to the University VPN service is on an opt-in basis.
- Requests for access to the VPN service shall be directed to the IT Service Desk via the webform at: https://www.dur.ac.uk/cis/password/services/remote/vpn/access/form/
- Durham University full & part time employees and postgraduate researchers are permitted to use the service.
- Durham University undergraduates and taught postgraduates are unlikely to require the VPN service. Under exceptional circumstances access may be granted where there is an academic justification. This justification must be sponsored by a member of University staff (e.g. a course tutor or lecturer). To apply, complete the form via the link above.
- All contractor, visitor, supplier, support, collaborative or other 3rd party access to the VPN service must be authorised by the CIS Security Team on an individual basis and must be justified by a sponsor from the University.
- All Durham University users of the service shall authenticate with a Durham University CIS username and password and not group, computer, package or non-personal account credentials.
- Each user is responsible for ensuring that their use of the VPN is compliant with the University’s Policy on the Management of Information Off-Campus
- Each user is responsible for undertaking reasonable protection of their University username and password and should not disclose these to anyone or write them down. Users shall report compromised credentials at the earliest opportunity.
- Each user is responsible for ensuring that the client device used to access University resources is used only by the authorised party and appropriate controls and good practice are adhered to (for example, by locking device whilst not in use).
- The VPN service shall only be used for approved University business and academic reasons.
- All users agree that their usage metadata (connection, time, IP address, access requests etc) are recorded and subject to audit.
- CIS may withdraw a user’s access to the VPN without prior notification if deemed necessary to protect University resources (e.g. in the event of a security breach).
- Users who leave University employment will automatically have access revoked.
- Users accessing sensitive systems and data must additionally request and authenticate to the VPN with strong or two factor authentication, which will be provided to them as part of the VPN solution.
- Users shall report a lost two factor authentication token at the earliest opportunity.
- Access to highly sensitive systems or data must be via an MDS laptop with encryption configured. Exceptions to this must be approved by CIS security.
- All Microsoft Windows and Apple Mac devices used to access the University VPN shall have a firewall enabled and antivirus installed and be within 10 days of the latest update provided by the antivirus manufacturer.
- All client devices are checked for security compliance every 15 minutes. Devices that fail compliance will have their session disconnected and must meet policy again in order to successfully connect.
- Mobile telephones are not currently compatible or permitted as a VPN client device.
- Jailbroken or rooted tablet devices (i.e. devices which have had security settings disabled) will be denied access to the service for security reasons.
- Windows XP devices will be denied access to the VPN service for security reasons.
- Users must access the service using the manufacturer provided and approved VPN client software Junos Pulse, Network Connect or the HTTPS portal.
- When connected to the VPN all traffic will be directed to the University network and is subject to its controls, policies and network/firewall restrictions.
- Users will be disconnected after 30 minutes of inactivity. Users must then re-authenticate to resume access.
- Users are permitted a single concurrent active session.
- All sessions have a maximum lifetime of 10 hours after which users should re-authenticate to create a new remote session.
- Access to administrative functions such as remote desktop to University machines and SSH should be via the University VPN and not via directly from the internet by firewall exemptions, except by approval of the CIS Security Team.
- Each user is responsible for ensuring that any software accessed while connected to the VPN is appropriately licensed.
Glossary of terms
Virtual Private Network (VPN) – Extends a private (e.g. University) network securely across a public network such as the internet, enabling you to send and receive data as if you were directly connected to the network from wherever you are connected.
Managed Desktop Service (MDS) – The standard CIS-provided PC desktop service.
Metadata – Is “data about data”, a store of information about data such as your IP address, browser etc.
Two-factor authentication – The use of an second method of control to authenticate to an IT network over and above your username and password, for example a random password generated by a physical token.
Jailbroken – Removing manufacturer limitations on an Apple phone/tablet to allow you to use the device in a way not intended by the manufacturer.
Rooted – Obtaining elevated privileges beyond manufacturer limitations on an Android device to allow you to use the device in a way not intended by the manufacturer.
SSH – (Secure Shell protocol) A network protocol for secure data communications often used to administer servers.