Pilot testing of Palo Alto’s GlobalProtect virtual private network (VPN) continued in September. GlobalProtect will become the central VPN service for all University of Utah and University of Utah Health staff, faculty, students, and affiliates, and the Cisco AnyConnect VPN will be turned off on a date to be determined.
A VPN is essentially a “tunnel” that makes your device’s internet traffic unrecognizable to internet service providers, network owners, and malicious actors. It does this by adding a layer of encryption, or coded language, that only your VPN client and a VPN server understand.
The U’s VPNs provide off-campus users with a secure connection to the university network when they need to access resources such as local/departmental file shares, private IP-addressed systems, some Marriott Library databases, Epic (clinical) applications, and Webtools. A VPN isn’t necessary to access UMail, Canvas, Ultimate Kronos Group, Campus Information Services, and various other online services that can be accessed with a home internet connection or a U-supported wireless network like UConnect.
Here are some recent developments on the VPN consolidation project:
- The project’s system configuration and design phases are complete.
- Existing accounts VPN accounts have been recreated and tested on the Palo Alto platform.
- The U’s Information Security Office has tested identity rules with multifactor authentication (MFA). MFA will be required for all VPN access after the transition.
- The IT Product Management team in the Chief Technology Officer organization is conducting user acceptance testing (UAT) with early adopters, and has hosted a series of webinars for system administrators for RADIUS server realms. Additional meetings between the project team and known Realm users are also being scheduled, as needed.
- An IT Knowledge Base article about the effort was published.
- The new VPN client is available for anyone to download and install (instructions are contained in the aforementioned knowledge article). Please note that local IT staff support may be needed for installation on university-managed devices.
- The GlobalProtect client will be tested with Epic applications beginning in November.
- The university is consolidating to one VPN client for a variety of reasons.
“There are huge benefits to the organization and university as a whole across the board,” said Clayton Norlen, product manager in UIT Product Management.
Ken Kizer, senior network engineer in UIT Network Services, explained that Cisco’s adaptive security appliance (ASA), which is integrated into AnyConnect’s network infrastructure, has significant limitations. An ASA is a network security device that combines firewall, antivirus, intrusion prevention, and VPN capabilities such as allowing multiple VPN tunnels to use a single network.
“The ASA couldn’t handle the number of people on it, and it cost quite a lot to update,” Kizer said. “The GlobalProtect VPN provides considerably more throughput,” specifically, from 700 megabit (Mb) with Cisco to 9.7 gigabit per second (Gbps) with Palo Alto — almost a 14-fold increase.
“Identity is a better solution for a number of reasons,” Johansen said. “We wanted to architect a VPN client independent of IP addresses. The new VPN is configured around an active directory (AD)-based firewall policy, which means that no matter where you are, you will be able to access the resources you need on the VPN based on your identity and active directory membership at the university, not the IP address of the device you’re using …” Johansen said. “When you log in, your identity is shared with the other firewalls. In this way, firewalls controlled by [the Network Operations Center] can create rules around identity and group membership.”
An added bonus of the new GlobalProtect VPN client, Johansen said, is its “full tunnel” configuration, with a five-day maximum session time and 18-hour inactivity timeouts.
Full tunnel is a VPN model in which VPN users have a secure, encrypted internet connection for all online activities. A “split tunnel” provides two connections at the same time: the secure VPN connection and an open connection to the internet. This split tunnel model protects data without slowing down other internet activities.
“We now have the ability to do a full tunnel with exceptions in a way that Cisco didn’t allow,” Johansen said. “We’re able to say Netflix, YouTube, whatever is high-bandwidth but low-risk, we can exempt from the tunnel. … [and] we have the tools to adapt as we move forward if we start running out of capacity.”
The key benefit of a full tunneling is security. If the VPN redirects internet traffic through a central point, that means it passes through university security controls like intrusion prevention devices that scan for malicious content. This essentially places a remote VPN user’s home computer behind the U’s perimeter, which is likely safer.
Although a formal cutoff date hasn’t been set, the project team is tentatively looking at January 1, 2022, barring exceptions (the U’s VPN contract with Cisco expires at the end of the calendar year). Exceptions may be submitted for review by assigning an online service request (login required) to UIT – ISO – Enterprise Security. Requests must include a justification for the exemption and will be reviewed on a case-by-case basis.
If you have questions about the project, please email Norlen at email@example.com.
“Our project team is really set up for customer service right now,” Norlen said. “We want to hear about what’s going on, and we’re going to continue that mantra going forward. We’re staffed and ready to help people make this shift as it aligns with their project queues and expectations.”