www.cern.ch IT Department Homepage
CERN Home   IT Home   Sitemap   Phonebook   Need Help?
 
IT Home > Computer Security
 

All CERN
IT Division
Security Site
IT Services
spacer
Access to Facilities
Desktops and Portables
Administrative Computing
Physics Computing
Technical Computing
Telecom
Index of Services
Other Services
spacer
  Department Information
spacer
 
What We Do
Department Structure
Administration
Minutes & Reports
Safety in IT
Job Opportunities
spacer
  More on Computing
spacer
 
CERN School of Computing
Colloquia
Seminars
Newsletter
Bookshop
  spacer
   
  
 

Version Française

Closure of the VPN service

Due to the continued incidents and growing security risks from the service, access to CERN using the VPN (Virtual Private Network) service will be discontinued on Tuesday 29th January 2008. In addition, new registrations will no longer be accepted. Similar functionality to the VPN service is provided by application gateways, such as WTS (Windows Terminal Services) and the central Linux service on LXPLUS. The recommended methods for connecting to CERN from the Internet are documented at http://cern.ch/security/Internet.

Motivation

The risk of worms entering the CERN site from VPN connections is high as they bypass the firewall protections in place for standard Internet connections. The serious impact of such incidents was already experienced in August 2003 when early versions of the Blaster worm rapidly entered the site via VPN connections. Although protections were added to contain those specific cases, the rise in zero day exploits and home computers as a key target for attackers is a dangerous combination, increasing the risk of a similar such incidents occurring in future. In addition to the increasing risks, the ability to make a rapid follow up for VPN incidents is limited and does not scale.

Known Issues

The closure of this service will require a change of working habits for users not familiar with the recommended methods for connecting to CERN from the Internet. To ease this change a set of FAQs has been prepared and linked from http://cern.ch/security/Internet.

The remaining known issues are listed below:

  • In some cases the alternative working methods are less convenient and/or provide reduced performance compared to VPN.
  • Windows DFS File synchronization is not possible from off-site without VPN. File transfer (including mapping a local disk to a WTS session) is possible.
  • Remote installation of software was possible with VPN. This practice is not recommended therefore no alternative will be provided. Users must instead bring their computers physically to CERN.

If a case were to arise where VPN is vital for the mission of the organization and no alternative solution is available within the timescale, a temporary extension could possibly be maintained for the user concerned. This would require that the case is justified and supported by the user’s Department Head (or Deputy). The configuration of the device and working method of the user connecting to VPN would need to be agreed by a member of the security team in order to minimise the risk.

Questions not addressed by the documentation referenced above can be sent to vpn.closure@cern.ch.

 
Related Links

Connecting to CERN from the Internet
Computer Security
Computing Rules
 
Feedback: Computer Security
Last update: Tuesday, 21. August 2007 16:00 		Computer Security
Copyright CERN