Transmitting information across the Internet is by its nature an insecure method of transmitting data. Vanderbilt's current infrastructure is designed to encourage and facilitate ease of use and maintenance with a minimal emphasis on security. This infrastructure is transitioning to a more secure environment with the mindset that information must be communicated as securely as possible. VU is experiencing this transition through actions such as specific security committees, E-password, wireless security, and firewalls.

Another component that contributes to a more secure environment is the implementation of Virtual Private Network (VPN) technology. A VPN uses encryption and tunneling to permit organizations to establish secure, end-to-end, connections over third-party networks, such as the Internet. The VPN help preserve data confidentiality and data integrity.

VPN in general has gone and continues to evolve into a platform that provides compatibility for multiple client machines, ease of use for end users, and ease of administration. The following VPN architecture is proposed and that central IT organizations will continue to assist in the deployment and administration of this resource.

Vanderbilt will recommend and encourage the use of a VPN located at its network perimeter to enhance secure off campus communication and promote more restrictive access to VU servers. It is also understood that providing a VPN does not replace, but enhances, security measures that should be found at the operating system, application level and may be found at the department level. A VPN provides a portion of a security infrastructure while preserving the convenience and flexibility of off campus access.

There are two parts to a VPN solution: the VPN concentrator and the VPN client software.

The VPN concentrator is a hardware device located on the Vanderbilt campus. The VPN client is software that is installed on the computer that you will use off campus. The client works with the VPN concentrator to create a secure connection, commonly referred to as a tunnel, between your computer and the concentrator.

For example, to use a remote PC, you connect to the Internet, then start the VPN client and establish a secure connection through the Internet to the campus network. When you access any application, the VPN concentrator uses a strong encryption algorithm to encrypt the data and transmits it through the tunnel to your VPN client. The VPN client software decrypts the information so you can read it on your remote PC. If you update the data , the VPN client encrypts and returns the data to the network through the VPN concentrator.

Definition
A VPN uses encryption and tunneling to permit organizations to establish secure, end-to-end, connections over third-party networks, such as:
- POTS (Plain Old Telephone Service): uses a dial-up modem to connect to your ISP
- ISDN (Integrated Services Digital Network): may use a dial-up modem to connect to your ISP
- Cable: uses a cable modem; always connected
- DSL (Digital Subscriber Line): uses a DSL modem; always connected
- the Internet.

VPN vs Other Secure Communications
It has been stated that if people want secure communications then this should be provided at the application level. While this statement is true in theory, the reality is that vendors and developers may not or do not want to provide this ability with their products but instead expect that their customers use a VPN to transmit information in a secure manner. Providing a campus VPN will allow users to use one secure method (simplify) instead of using multiple methods, e.g., Secure Shell (SSH), Apple File Protocol, to securely connect.

It also has been stated that Secure Shell (SSH) is a good alternative to VPN. SSH allows one to create a secure session - which can be tunneled, a required configuration by the end user, through by other protocols. But the end user initiates the session by starting up SSH and logging in to the host machine. VPN creates an environment for secure transmission - all connections and protocol conversations are secured. Using a VPN is be a better method for non-technical end users to help ensure they transmit in a secure manner, while SSH may be fine for technical or computer literate users that understand the steps involved to transmit in a secure manner. VPN support is frequently built into the routers, hubs, etc. within the network whereas SSH is usually installed at the workstation.

Otherwise, the underlying communications and such are much the same.

One message that should be understood by all participants is that this VPN platform that is located at the network perimeter will terminate the encryption tunnel there, should a department have a need to extend an encryption tunnel closer to their servers they may need to fund their own VPN platform.

Associated History
A VPN discussion group was formed after questions were asked about having a VPN for the Campus. Subsequent meetings were held in an effort to define what a VPN is and understand the interest and need to have a campus VPN.

During our discussion period two events occurred that may have eliminated the need for this group to continue meeting: There was hope that the Wireless Security Committee's security recommendations would include the use of a VPN however, it did not, and In recognition that a VPN was ill suited and overkill to allow users access to files on their office desktops or a file server, a product called NetSilica was rolled out the latter part of 2002. NetSillica is not an alternative to a VPN but a complement. For inquiries about that project, please contact the VUMC Security Team - https://www.mc.vanderbilt.edu/security/.

This VPN solution was Beta tested during May, June and July of 2003 before being rolled out to end users. For more information about this VPN implementation, read the Frequently Asked Questions list, and then contact ITS Partner Support staff by sending email to its-partner@v~.edu and / or by calling 615-936-ITSP.