|Title||Minimize site-to-site VPNs|
|Summary|| Technical Solution designs SHOULD minimize the use of site-to-site VPNs and subnet-extensions.|
The preferred approach is to use well-managed IP endpoints. These IP endpoints will provide controlled access per-client via the use of encryption, subnet firewalls, endpoint firewalls, application firewalls, load-balancers / proxies, segregated networks, intrusion prevention systems, access control policies, pro-active monitoring, and continual, full-stack software maintenance.
IPv6 endpoints should be preferred whenever possible.
Recommended by the University of Washington (what does this mean?)
|Date reviewed||July 2, 2018|
|Source||Chief Technology Officer|
As the UW adopts public Cloud services, there is often a need to connect back to resources on the UW private network.
Public Cloud vendors often recommend establishing site-to-site VPNs. Neither does this approach scale, nor is it necessarily secure.
A well-managed IP endpoint should:
Exceptions: Requests for new site-to-site VPNs and subnet extensions need to be approved by the UW-IT CTO (submit requests using firstname.lastname@example.org and mention this policy # in the subject).