Educause Security Discussion mailing list archives
Re: VPN Concentrator replacement
From: "Pardonek, Jim" <jpardonek () LUC EDU>
Date: Wed, 8 May 2019 13:11:32 +0000
We’ve had GP on PA for a few years now. We have it on a small box, mostly because we use the host checking feature and the license has to be for the max number of VPN connections that the box is capable of. When we switched from PulseSecure we already had in place RSA’s MFA for authentication so we didn’t see any reason to change it at the time. We currently have an initiative to change to Microsoft’s MFA mostly because we switched to an E5 license and MFA comes with it. Once that happens, we will use either the MS Authenticator App or Gemalto tokens. Best of Luck! Jim James Pardonek, MS, CISSP, CEH, GSNA Information Security Officer Loyola University Chicago 1032 W. Sheridan Road | Chicago, IL 60660 •: (773) 508-6086 Loyola University Chicago will never ask you for your username or password. For the lastest information security news at Loyola, please follow us online, Twitter: @LUCUISO Facebook: https://www.facebook.com/lucuiso/ Our Blog http://blogs.luc.edu/uiso/ From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU> On Behalf Of Bandy, John Sent: Wednesday, May 8, 2019 7:25 AM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] VPN Concentrator replacement +1 for PA GP client. We do have a very small number of users allowed to use the native VPN on mobile devices using an IPSec tunnel set up on the PA without requiring the PA mobile client. John Bandy Chief Information Security Officer Technology Services 205-726-2692<tel:+1205-726-2692> | office 205-726-2692 | fax JBandy () Samford Edu<mailto:JBandy () Samford Edu> Twitter<http://twitter.com/SamfordInfoSec> 800 Lakeshore Drive Birmingham, AL 35229<https://maps.google.com/maps?q=800+Lakeshore+Drive,+Birmingham,+AL+35229,+US> [mford Samford University Logo] From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU>> On Behalf Of Francisco Chavez Sent: Tuesday, May 7, 2019 4:40 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () LISTSERV EDUCAUSE EDU> Subject: Re: [SECURITY] VPN Concentrator replacement We have moved our VPN services off of the Cisco AnyConnect (ASA) over to PaloAlto Global Protect since we already had the hardware in place. We implemented Global Protect with SSO for authentication and use DUO for MFA when accessing this system. This has been well received by our community since the look and feel of logging into the PaloAlto GP client is just like out Client Portal. The installation for the client specifically on MacOS has been a little bit of a challenge for us since users tend to not read the instructions when installing the application. The users seem to glance over the portion that requires the enablement of an extension within System Preferences. The PaloAlto Global Protect client is easy to administer and is very user friendly. Also, a note… When you speak to your rep they will most likely highlight that the mobile devices like iPad, iPhone, Android, etc… are an extra cost. We surveyed our VPN users and determined a small group of people use mobile devices to access the campus through VPN and for those we will use a smaller PAN device to reduce licensing costs. Regards, - Francisco Chavez ----------------------------------------------------------------------------------- Francisco Chavez Manager, IT Security | Saint Mary's College of California 925-631-8236 | fac3 () stmarys-ca edu<mailto:fac3 () stmarys-ca edu> [cid:image002.jpg@01D50575.A4015180] On May 7, 2019, at 2:23 PM, Telfer, Will <Will_Telfer () BAYLOR EDU<mailto:Will_Telfer () baylor edu>> wrote: We moved from a Cisco appliance/Cisco AnyConnect to Palo Alto Global Protect because we already had the hardware in place. One of the largest advantages was that Global Protect integrated with our Duo implementation so it looked like all the other Duo Authentication screens, where as the Cisco AnyConnect required users to type their second factor of authentication into the 2nd PW box on the login screen. We have not disabled Cisco AnyConnect yet so some users are still using that method, but I have switched to Global Protect & it is easy & very user friendly. Thank You, Will Telfer, M.S. Information Security Analyst Information Technology Services Follow BearAware for Cybersecurity Tips on: Twitter: @BearAware Facebook: facebook.com/BearAware<https://urldefense.proofpoint.com/v2/url?u=http-3A__facebook.com_BearAware&d=DwMFaQ&c=GTxgfYI6i4KYikqC6GK_Jzn2mYGEh-v4HEPYCyQcJzU&r=rEBQriUB7kU_t6oAksu5pMPHrCub_HcRbmBX-fT96-E&m=DbB-FrSwOYutzhmiFD4IGqO7kWeUA6HGRHpKWQro6gQ&s=QOeoL51hKcidBSFlgNzXjLFBvYk6XxzAFQuL7noXr_M&e=> Website: baylor.edu/BearAware<https://urldefense.proofpoint.com/v2/url?u=http-3A__baylor.edu_BearAware&d=DwMFaQ&c=GTxgfYI6i4KYikqC6GK_Jzn2mYGEh-v4HEPYCyQcJzU&r=rEBQriUB7kU_t6oAksu5pMPHrCub_HcRbmBX-fT96-E&m=DbB-FrSwOYutzhmiFD4IGqO7kWeUA6HGRHpKWQro6gQ&s=zJ6kG8SPQqQRxbqO3r-VdYCmf7HBKPNq65ld23UlDrk&e=> <image001.png> From: The EDUCAUSE Security Community Group Listserv <SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () listserv educause edu>> On Behalf Of Akey, Michael Sent: Tuesday, May 7, 2019 3:51 PM To: SECURITY () LISTSERV EDUCAUSE EDU<mailto:SECURITY () listserv educause edu> Subject: [SECURITY] VPN Concentrator replacement Hello Security list, At OSU we're looking to replace our aging Cisco ASA devices with a new VPN solution. We wanted to know what other higher-ed institutions are using these days with regards to VPN for end users (not site-to-site/cloud VPN). Our current solution was very over-built for how it was ultimately used and we only have about 100-300 concurrent users on any given day. Any solution we go with must support Duo 2fa - though I'm seeing that nearly any VPN service is supported by way of a RADIUS shim or custom login pages for SSL web VPNs. If you've recently moved to a new VPN solution and are willing to briefly share your experiences with certain vendors/products I would appreciate it. If you know of a good article or existing survey of what other higher-ed institutions use for client VPNs I'd love that too. Thank you, Mike Akey Systems Engineer, IT Infrastructure University Information and Technology | Oregon State University 541-737-4948 | uit.oregonstate.edu<https://urldefense.proofpoint.com/v2/url?u=http-3A__uit.oregonstate.edu&d=DwMFaQ&c=GTxgfYI6i4KYikqC6GK_Jzn2mYGEh-v4HEPYCyQcJzU&r=rEBQriUB7kU_t6oAksu5pMPHrCub_HcRbmBX-fT96-E&m=DbB-FrSwOYutzhmiFD4IGqO7kWeUA6HGRHpKWQro6gQ&s=03KrnEBcNxY-U7bjlDawATVgqbVV2wR7ka3sMjihJR4&e=>
Current thread:
- VPN Concentrator replacement Akey, Michael (May 07)
- Re: VPN Concentrator replacement Telfer, Will (May 07)
- Re: VPN Concentrator replacement Francisco Chavez (May 07)
- Re: VPN Concentrator replacement Bandy, John (May 08)
- Re: VPN Concentrator replacement Pardonek, Jim (May 08)
- Re: VPN Concentrator replacement King, Ronald A. (May 08)
- Re: VPN Concentrator replacement Francisco Chavez (May 07)
- Re: VPN Concentrator replacement Telfer, Will (May 07)
- Re: VPN Concentrator replacement Brian Epstein (May 07)
- Re: VPN Concentrator replacement Mike Wiseman (May 08)
- Re: VPN Concentrator replacement Dugan, Darin D [ITSYS] (May 08)