FEEDBACK NEEDED – Requiring use of the VPN for SSH access to MCECS

If you are faculty/staff or a researcher and you either use or require your students to use SSH to access Linux systems in MCECS, we need your feedback.

With a few exceptions, SSH access to most Linux resources in MCECS is currently open to the Internet. (That is, you can use SSH to login to Linux systems here without needing to use a VPN.) Contrast this with Windows Remote Desktop (RDP) which requires VPN use.

Considering the large volume of students who use Linux in MCECS, we are interested in how the requirement of the use of a VPN in order to SSH to Linux systems inside of MCECS will affect you and your mission.  Can you help us with answers to the following questions:

1) Do you use SSH to get to resources inside MCECS? How would the requirement of VPN-before-SSH affect you?

2) Do you require your students or collaborators to use SSH to get to resources inside MCECS? Can you describe how this change could affect them?

3) Do you manage any Tier 3 systems in MCECS that are accessible with SSH? How would this change impact the use of these systems?

4) Do you sponsor or support third-party systems in MCECS that are accessible with SSH? Let us know so we can discuss solutions on how to deal with them.

5) Are there other considerations that you can identify?

We appreciate the time you take to respond to this query. We are looking for feedback to better understand how this change will affect you and your students.

Why are we doing this?

Greater PSU (via OIT) doesn’t do much end-user Linux and they have long since required the use of a VPN for SSH access to the rest of campus. The University is now in the process tightening the campus information security posture. The drive for this is two-fold:

a) A move to requiring two-factor authentication for all “login” style connections to the campus.

b) Acquiring “cyber insurance” coverage for the campus. This requires the vetting of PSU’s infosec posture by an external organization.

For MCECS, this means tightening some of the historically open infrastructure to meet modern challenges. The VPN-to-SSH is part of this process. We are also working to identify the needs of research and other collaborative projects that require a more open infrastructure and try to engineer solutions that work for them.