Source: Own illustration
In order to be able to access the RWTH network from anywhere in a secure, encrypted way, the academic institutions of RWTH Aachen University can provide a VPN instance to a restricted group of people if required. This allows users to securely access their resources at their institution. As part of the introduction of multi-factor authentication at RWTH, the security requirements for these VPN instances have increased.
There are various options for managing and enabling VPN access, which we would like to introduce to you in the following blog post.
Institute VPN on Dedicated Hardware
This variant requires dedicated hardware, i.e. hardware that is configured exclusively for the secure VPN access of a specific institution. This must be procured by the institution itself via the IT Center. A consultation is held with the IT Center to determine which device is suitable for the respective institution.
After the initial configuration of the physical VPN device by the IT Center, the administrators of the institution manage access to the VPNs themselves. If required, they can enable access to the VPN instance for staff and students at their institution. In addition, they can regulate access to resources within the institute via firewalls or dedicated VPN groups.
Institute VPN on Centralized IT Center Hardware
Another option is to operate the institute VPN on centralized IT Center hardware. Unlike the first variant, no physical device is installed at the institution at this point. In order to be able to use these VPN instances, the IT Center provides a virtual and significantly more efficient instance on redundant hardware in relation to the size of the shared use. With the redundant hardware, there are several hardware components that can take over in the event of a failure to increase availability and reliability.
The virtual instances are isolated from each other. This means that each virtual instance operates in a separate, independent environment. This isolation ensures that one instance has no impact on another and thus guarantees a high level of security. VPN users are only shown the relevant context when they dial in. This gives them access to the specific resources and information that are relevant and authorized for them. This makes operation just as easy as when dialing into a VPN device running on dedicated hardware.
Extended security measures or a site-2-site configuration, which establishes an encrypted tunnel connection between different locations (e.g. institute in the RWTH network and branch offices), are no longer possible for technical reasons.
If you need consultation on the central instance or all other VPNs or simply have questions, you can contact the IT Service Desk (servicedesk@itc.rwth-aachen.de).
Further information on the VPN modules can be found on IT Center Help.
Responsible for the content of this article are Corinna Hausberg and Benedikt Paffen.
Leave a Reply