Enterprise Architecture
Space shortcuts
Page tree
Skip to end of metadata
Go to start of metadata
TitleMinimize site-to-site VPNs
Link 
Summary(tick) Technical Solution designs SHOULD minimize the use of site-to-site VPNs and subnet-extensions.

The preferred approach is to use well-managed IP endpoints. These IP endpoints will provide controlled access per-client via the use of encryption, subnet firewalls, endpoint firewalls, application firewalls, load-balancers / proxies, segregated networks, intrusion prevention systems, access control policies, pro-active monitoring, and continual, full-stack software maintenance.

IPv6 endpoints should be preferred whenever possible.

Authority

Recommended by the University of Washington (tick) (what does this mean?)

Approved By
  • Brad Greer, CTO
Date reviewedJuly 2, 2018
Reviewed By:
  • Brad Greer, CTO
  • Rupert Berk, Enterprise Solutions Architect
SourceChief Technology Officer
Status(lightbulb) Current
Rationale

As the UW adopts public Cloud services, there is often a need to connect back to resources on the UW private network.

Public Cloud vendors often recommend establishing site-to-site VPNs. Neither does this approach scale, nor is it necessarily secure.

A well-managed IP endpoint should:

  • be fully configurable via software ( git repo for configuration )
  • allow connections only from designated clients  (firewall) 
  • be designed to avoid DDOS attacks ( connection throttling ) 
  • be designed to prevent password guessing (auto-lockout / auto-blocking )
  • always encrypt connections 
Notes

Exceptions: Requests for new site-to-site VPNs and subnet extensions need to be approved by the UW-IT CTO (submit requests using help@uw.edu and mention this policy # in the subject).