VPN Policy at Lancaster University 

Remote Access Home

The policy for Virtual Private Network access to the Lancaster University network.


The Policy for the Virtual Private Network (VPN)

1. Purpose

The purpose of this policy is to provide guidelines for PPTP Virtual Private Network (VPN) connections to the Lancaster University's campus network.

2. Scope

This policy applies to all Lancaster University students, employees, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties utilizing VPNs to access the Lancaster University network. This policy applies to implementations of VPN that are directed through an IPSec Concentrator. The VPN user will also be subject to the conditions and performance constraints of their chosen ISP.

3. Policy

Approved Lancaster University students, employees and authorized third parties (customers, vendors, etc.) may utilize the benefits of VPNs, which are a "user managed" service. This means that the user is responsible for selecting an Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees. Further details may be found in the Remote Access Policy[1].

Additionally:

  1. It is the responsibility of staff and students with VPN privileges to ensure that unauthorized users are not allowed access to Lancaster University internal networks.
  2. VPN use is controlled using one-time password authentication with a strong user settable password.
  3. When actively connected to the University network, VPNs will force all traffic to and from the PC over the VPN tunnel; all other traffic will be dropped.
  4. Dual (split) tunnelling is NOT permitted; only one network connection is allowed.
  5. VPN gateways will be set up and managed by approved Lancaster University network operational groups.
  6. All computers, including personal computers, connected to Lancaster University internal networks via VPN or any other technology must use the most up-to-date anti-virus software. The University's corporate standard for anti-virus software is published on the ISS website[2].
  7. All computers, including personal computers, connected to Lancaster University internal networks via VPN or any other technology must regularly apply critical patches to their computer's operating system (i.e. users of Windows systems must regularly run Windows Update[3]).
  8. To protect the integrity and security of data, ISS may restrict the combined use of the VPN with applications that use the Remote Desktop Protocol (RDP) where they are used to access a University IT service.
  9. VPN users will be automatically disconnected from Lancaster University's network after sixty minutes of inactivity[4]. The user must then logon again to reconnect to the network. Pings or other artificial network processes are not to be used to keep the connection open.
  10. Wherever practicable, maintenance of the VPN will take place during the "At risk" times of the University networks and that of its ISP.
  11. The VPN concentrator is limited to an absolute connection time of 24 hours[4].
  12. Users of computers that are not Lancaster University-owned equipment must configure the equipment to comply with Lancaster University's VPN and network policies.
  13. By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of Lancaster University's network, and as such are subject to the same rules and regulations that apply to Lancaster University-owned equipment, i.e., their machines must be configured to comply with ISS's Security Policy[5].
  14. Communications on the University's computer systems may be monitored and/or recorded to ensure the effective operation of these systems and for other legal purposes.

4. Enforcement

Any member of staff or student found to have violated this policy may be subject to disciplinary action.

5. Definitions

Term Definition
IPSec Concentrator A device in which VPN connections are terminated.
PP2P This is the connection type that Lancaster uses.
L2TP Protocol not currently available at Lancaster.

Notes

[1] under development. 

[2] see the AntiVirus website. 

[3] see the Windows Update website. 

[4] The time limits of 60 minutes and 24 hours (sections '3. ix' and '3. xi') may be revised in the light of experience. 

[5] see the Electronic Riles webpages. 

©Lancaster University   ISS Governance   Computer User Agreement   Privacy & Cookies Notice  

Lancaster University
Bailrigg
LancasterLA1 4YW United Kingdom
+44 (0) 1524 65201