Enterprise Architecture
Space shortcuts
Page tree

Versions Compared

Old Version 9

changes.mady.by.user Rupert Berk

Saved on

compared with

New Version Current

changes.mady.by.user Rupert Berk

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
TitleMinimize site-to-site VPNs
Link 
Summary
Excerpt

(tick) Technical Solution designs SHOULD minimize the use of site-to-site VPNs and subnet-extensions.

The preferred approach is to use well-managed IP endpoints. These IP endpoints will provide controlled access per-client via the use of encryption, subnet firewalls, endpoint firewalls, application firewalls, load-balancers / proxies, segregated networks, intrusion prevention systems, access control policies, pro-active monitoring, and continual, full-stack software maintenance.

IPv6 endpoints should be preferred whenever possible.

Authority

Recommended by the University of Washington (tick)(what does this mean?)

Approved By
  • Brad Greer, CTO
Date reviewedJuly 2, 2018
Reviewed By:
  • Brad Greer, CTO
  • Rupert Berk, Enterprise Solutions Architect
SourceChief Technology Officer
Status(lightbulb) Current
Rationale

As the UW adopts public Cloud services, there is often a need to connect back to resources on the UW private network.

Public Cloud vendors often recommend establishing site-to-site VPNs. Neither does this approach scale, nor is it necessarily secure.

Providing A well-managed public endpoints instead will promote:

  • increased data security and better access controls
  • looser coupling and simplified designs
  • simpler and more transparent request process for interfacing systems
    • easier troubleshooting between systems

    IP endpoint should:

    • be fully configurable via software ( git repo for configuration )
    • allow connections only from designated clients  (firewall) 
    • be designed to avoid DDOS attacks ( connection throttling ) 
    • be designed to prevent password guessing (auto-lockout / auto-blocking )
    • always encrypt connections 
    Notes

    Exceptions: Requests for new site-to-site VPNs and subnet extensions need to be approved by the UW-IT CTO (submit requests using help@uw.edu and mention this policy # in the subject).