Restricted Remote VPN Access

2007/10/23 by CSO

Due to the continued incidents and growing security risks from the service, access to CERN using VPN (Virtual Private Network) is prohibited. Similar functionality to the VPN service is provided by application gateways, such as WTS (Windows Terminal Services) and the central Linux service on LXPLUS. The recommended methods for connecting to CERN from the Internet are documented here.

However, access from CERN to e.g. remote institutes is still possible.

Motivation

The risk of worms entering the CERN site from VPN connections is high as they bypass the firewall protections in place for standard Internet connections. The serious impact of such incidents was already experienced in August 2003 when early versions of the Blaster worm rapidly entered the site via VPN connections. Although protections were added to contain those specific cases, the rise in zero day exploits and home computers as a key target for attackers is a dangerous combination, increasing the risk of a similar such incidents occurring in future. In addition to the increasing risks, the ability to make a rapid follow up for VPN incidents is limited and does not scale.

Known Issues

  • In some cases the alternative working methods are less convenient and/or provide reduced performance compared to VPN. Windows DFS File synchronization is not possible from off-site without VPN. File transfer (including mapping a local disk to a WTS session) is possible.
  • Remote installation of software was possible with VPN. This practice is not recommended therefore no alternative will be provided. Users must instead bring their computers physically to CERN.

If a case were to arise where VPN is vital for the mission of the organization and no alternative solution is available within the timescale, a temporary extension could possibly be maintained for the user concerned. This would require that the case is justified and supported by the users Department Head (or Deputy). The configuration of the device and working method of the user connecting to VPN would need to be agreed by a member of the security team in order to minimise the risk.

Access from CERN to the Outside

The CERN firewall supports GRE based PPTP VPN connections from CERN to remote institutes. This includes connections from fixed IP addresses as well as from dynamically allocated (DHCP) addresses (e.g. wireless and portable sockets).

VPN client software using IPSEC based connections are not fully supported by the firewall and are only permitted from sockets with dynamically allocated (DHCP) addresses (e.g. wireless and portable sockets).