This document is a standard developed by Concordia University College for their VPN security. It begins with definitions of a policy, standard, and guideline. A policy outlines specific requirements, a standard describes system-specific procedures that must be followed, and a guideline provides suggestions for best practices. The VPN Security Standards document then outlines the authority, purpose, and scope. The standards section lists technical requirements for devices connected to the university network regarding virus protection, SNMP, printer services, default web pages, unauthorized access, physical security, and use of non-university devices. Violations may result in network disconnection, and exceptions require IT and CIO approval.

1. 200
8
VPN Security
Standards
Assignment # 2
Concordia University College VPN Security Standards developed
based on Concordia`s VPN security Policy.
Tareq Hanaysha
Abid Jamal Siddiqi
Hitesh Chugh
1110 | P a g e
Arjun Yadav
3/20/2008

2. Is it a Policy, a Standard or a Guideline?
What's in a name? We frequently hear people use the names "policy", "standard", and "guideline" to
refer to documents that fall within the policy infrastructure. So that those who participate in this
consensus process can communicate effectively, we'll use the following definitions.
A policy is a document that outlines specific requirements or rules that must be met. In the
information/network security realm, policies are usually point-specific, covering a single area.
For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate
use of the computing facilities.
A standard is collections of system-specific or procedural-specific requirements that must be
met by everyone. For example, you might have a standard that describes how to harden a
Windows NT workstation for placement on an external (DMZ) network. People must follow this
standard exactly if they wish to install a Windows NT workstation on an external network
segment.
A guideline is typically a collection of system specific or procedural specific "suggestions" for
best practice. They are not requirements to be met, but are strongly recommended. Effective
security policies make frequent references to standards and guidelines that exist within an
organization.
Standards Name: VPN Security Standards
Release Date: 20/03/08
1.
AUTHORITY
Concordia University College Chief Information Officer and Security Officer shall develop,
implement and maintain a coordinated plan for information technology (IT) including the
adoption of technical, coordination, and security standards for the university virtual private
network.
2.
PURPOSE
To provide a secure, cost effective and efficient virtual private network infrastructure that will
serve Concordia university college of Alberta. This network will provide us with a wide-area
network services to better serve faculties, departments, the library, and the students using
common, proven, pervasive, and industry-wide standards.
Page | 1

3. 3.
SCOPE
This standard applies to Concordia University College Virtual Private network Clients and
administrators, general personal computer that is connected to Concordia University College of
Alberta network that are not used in classroom activities. Computer labs that are used for
classroom activities must follow the network infrastructure and connectivity Security Standard
.Computer facilities that are open to the public (i.e., non-CUCOA users) must follow the Public
network Facility Security Standard.
4.
STANDARDS
Virus Protection and System Security: All devices connected to the University network are
required to use approved, current virus protection. All devices are also required to incorporate
available security updates and patches.
Simple Network Management Protocol (SNMP) & IPSec: If SNMP is required for a network device
to function on the University network the Read and Read/Write community strings must be set
to something other than the default setting of “Public”. In instances where SNMP is not needed
the service must be disabled.
New Printer installations: When a new printer is added to the University network, to the
greatest extent possible all unnecessary network services (for example, web and FTP services)
will be disabled. Those services that are required to administer the device must be password
protected.
Default web services: When a new network device is added to the University network special
attention must be paid to the software installation to protect against the existence of a default
web page. Default web pages can allow for unauthorized persons to exploit the University
network. In instances where no default web services are needed, these services must be turned
off.
Protection from Unauthorized Access to Network Devices: When a new network device is added
to the University network, the device must be protected. Usernames and passwords must be
protected from unauthorized access based on the principle that each user is responsible for all
activity that occurs in his/her account.
Physical Security of Network Devices: Any device attached to the University network must have
adequate physical security in place to prevent unauthorized access to the device. The physical
location of servers and other devices providing critical university services will be determined by
the Chief Information Officer.
Use of non-university devices on the university network: Any device that is not owned by
Concordia University College of Alberta must comply with the standards set by the IT Division
before the device is attached to the university network.
Page | 2

4. Violations of these standards may be evident during routine network security scans performed
by the IT Division. If violations are discovered, IT staff may disable the network connection
immediately, if necessary to protect the security of the network. The Division of Information
Technology recommends consultation with IT staff prior to the purchase of any device not
already approved by the Division. To request assistance related to these standards, please send
a request to the IT Help Desk. IT consultants will work with you to find a solution that can then
be forwarded to the Chief Information Officer for approval if a standards exception is required.
Page | 3