Remote Access to LJMU Systems
This policy applies to all forms of external access to LJMU computing systems including access from the LJMU Wireless Network.
To ensure the security and integrity of the University’s computing resources all external access to internal systems is blocked by the university firewall, except to those systems which provide web-enabled services and which have been expressly designated as accessible externally.
NB these include:
- Email access via Web-Outlook or via POP/IMAP clients
- Personal File-store access via WebDav or FTP
- Blackboard Virtual Learning Environment
- The Library System and Catalogue Services
- The LJMU Web Service
- The Off-Campus Applications Service
- Departmentally provided services expressly permitted by Firewall rules
Access to an Application which is not web-enabled will be provided by making that application available on the Citrix Off-Campus Service. Only where this is not possible will the provision of a VPN (Virtual Private Network) connection be considered.
A VPN provides a direct, secure “tunnel” from a client PC to a designated system or systems thus bypassing the normal security mechanisms provided by the University Firewall. Potentially this could compromise the security and integrity of LJMU systems, thus:
VPN access is only provided in cases where:
a) The is a compelling operational requirement
b) The requirement can not be met in any other way and
c) The security and integrity of LJMU systems will not be compromised
All client systems connecting via a VPN are subject to conformance with the Access Control Policy.
The Access Control Policy will depend upon the perceived threats at that time, but typically would require that:
a) The client system is running the standard LJMU virus checker
b) The Virus checker is at the latest version and signature level
c) The client system has the latest operating system security patches installed
Two-factor authentication is required where the VPN provides direct access to the internal network.
Authentication is normally based on a single factor: “something you know” – i.e. a password or pin number. Two-factor authentication (also known as strong authentication) requires the provision of “something you have” in addition to “something you know”. The “something you have” is provided by a personal key-fob size device that generates a one-time authentication code which changes every 60 seconds.
The following VPN usage models are provided:
1) Self Maintenance of Laptop Clients
A VPN is provided for all CIS Laptop Clients to enable users to install and update University licensed applications software remotely and to receive updates provided by CIS.
2) Out-of-Hours Cover / Maintenance of LJMU Systems
CIS staff who are providing “out-of-hours” cover or who are required in cases of emergency to remotely access University systems are provided with VPN access to the central systems. Use of this VPN is subject to two-factor authentication.
K A Walsh, PLN. August 2006