All Mgrs Mtg-2008.10.01-Campus VPN

Campus VPN - Dan Hutten - See the old presentation from 2004 by Matt McBride - it's really very good - NOC has provided VPN for many years. Currently there are about 50 average consistent connections, split between the WebVPN and the heavy client. - Brad Zumbrunnen is the NOC VPN guy. Want to improve the communication more. Is the current set up working well enough for IT Managers, end users? - AnyConnect SSL VPN "mini client" - 50 seats. What would happen when the 51st user gets on? Failure, Cisco tells us. - Two ASA5540 units - one in production, one in testing. Physical location: EBC. Not currently redundant; not a priority since there isn't much use. - See the icon slide. WebVPN: SSL-AnyConnect - http://vpnaccess.utah.edu - just start surfing! Users get confused, go to the AnyConnect button on the left - AnyConnect SSL VPN: Session begins and encrypts between the Campus VPN server for the session. Not currently auto-deleted, but could set it to do so. It's written in Java, so it could be a little lighter. 128- bit encryption, runs higher on the stack. We can get more licenses if there is a need. - There are two class C's that are allowed to get journal access. The WebVPN is a nice way to access these. - IPSec heavy client - 256 bit encryption. Traditional tunnel on the network layer. Can't use the heavy client with a 64-bit system. Help Desk refers users with 64-bit systems to use the WebVPN. - Solaris 10 version isn't on the grid. Mobile devices aren't there either. **** - Department VPN solutions: request a pool of a certain size. NID Tools (sort of) allow IT Mgrs to add users. Users login with their @dept.utah.edu email address and uNID pw. Radius server authenticates users. - Split tunneling doesn't happen now, but it could. Security concerns. EBC runs split tunneling and have seen no problems. Hospital guys are using Juniper to allow split tunneling. Jon: SSH tunneling will allow a single port for a specific service that is desired. Hang: users don't understand about split tunneling - not all traffic is on the VPN IP. Adds confusion. - Steve Adams: couldn't the VPN check for firewall config, etc? We're pretty blind right now. CleanAccess, Microsoft have products to do this; we're just not using them. - Brad Hawks: has users who sincerely don't want to use VPN, no matter how easy. They don't want one more login. - Richard G: wants a more user-friendly grid or something like it.