The Restricted VPN service is a highly monitored version of the Campus’ Remote Access VPN for users who access and control a large quantity of restricted data or key IT infrastructure as part of their normal business activity. Access is limited to trusted individuals who need to administer systems containing critical P4 data. This service has additional security controls from the campus VPN, specifically, it utilizes threat monitoring and prevention settings similar to those used on high-security firewalls.
Why it is needed
To meet the Minimum Security Standards for Electronic Information (MSSEI) policy, the service reduces the attack footprint by limiting users who can access sensitive systems. Additionally, this forces a higher security standard on devices used to connect. These restrictions are not feasible for the entire campus population, but can be utilized for a subset of the campus. ISO will work with Service Providers (SP) to require this service on their systems.
Primarily desktop clients, with the possibility of mobile later if there is a demonstrated need.
The Restricted VPN utilizes the same Global Protect client as the regular campus VPN. However, systems used to access the Restricted VPN should meet the following standards:
Use Microsoft OS (v. 8.1 or newer) or Apple MacOS (v. 10.13 or newer)
Run Antivirus software (e.g., Microsoft Windows Defender, Apple Gatekeeper, or Fireeye Endpoint Security)
Have an active host based firewall
NOTE: The built in firewall for the Mac OS is not running by default
Meet all MSSND requirements
In the future, the following requirements will be added:
The above standards will become mandatory requirements enforced at time of use
All drives will need to be encrypted
NOTE: for Windows systems this means the C:\ drive will need to be encrypted. For Macs it will need to be “Macintosh HD” (this is the default name for the drive and it will be necessary to keep this naming convention)
Systems must have all current security patches installed
*If you do not meet these requirements you will be blocked from the service and receive a pop-up message with a link to https://vpn-blocked.security.berkeley.edu/.
Use of this service is restricted to high-security needs and ISO will vet groups requesting access. To request access email email@example.com to create a ticket and:
Specify the protected data and systems your users are accessing.
Define at least one point of contact for the group as these individuals will be contacted for further information.
Transitioning to the rVPN:
Once access has been set up, users will choose the Restricted Tunnel gateway from the drop down in the Global Protect client
How to get updates
When major changes are made, the changes will be sent to the bSecure mailing list which all firewall service administrators should be on. ISO will also investigate creating a separate email list for the restricted VPN administrators. The Administrators will be responsible for passing along the message to the users who they have added to the Restricted VPN
For problems connecting or using the service: firstname.lastname@example.org
For issues related to setting up the service or its security controls: email@example.com