Boise State Virtual Private Network Standard
The purpose of this standard is to define requirements for Virtual Private Network (VPN) connections to the Boise State network. It specifies the details of the standards as referred to by policies:
- 8130 Remote Access
This standard applies to all Boise State employees, authorized students, contractors, consultants, temporaries, and other workers including all personnel affiliated with third parties using VPNs to access the Boise State network.
It is the responsibility of the users of VPN to ensure that
- Unauthorized users are not allowed access to Boise State internal networks.
- All hosts that are connected to Boise State’s internal networks via remote access meet the requirements defined in the Minimum Standard For Systems.
- Only OIT-approved VPN clients are used when connecting to Boise State resources.
- By using VPN technology with personal equipment, users must understand that their machines are a de facto extension of Boise State’s network, and as such are subject to the same rules and regulations that apply to Boise State-owned equipment.
- They provide their own Internet Service Provider (ISP), coordinating installation, installing any required software, and paying associated fees.
It is the responsibility of the University to ensure that
- When actively connected to the Boise State network, the VPN will force all traffic to and from the host over the VPN tunnel: all other traffic will be dropped.
- Dual (split) tunneling is NOT permitted; only one network connection is allowed.
- VPN gateways will be set up and managed by Boise State’s Office of Information Technology.
- VPN users will be automatically disconnected from Boise State’s network after 10 hours of use. The user must then login again to reconnect to the network.
- Multi-factor authentication is required
Non-Compliance and Exceptions
A Request for Exception, along with a plan for risk assessment and management, can be submitted at Help Desk Self Service. Non-compliance with these standards may result in revocation of access, notification of supervisors, and reporting to the Office of Internal Audit and Institutional Compliance.
Created: January 2020
Last Update: February 2022
Next Review: February 2023