Enterprise VPN Don Kendrick, VITA Senior Manager, Security Operations August 25, 2009

1. Enterprise VPN Don Kendrick, VITA Senior Manager, Security Operations August 25, 2009

2. This document explains the ITP’s plan to improve network security by providing agencies with single and two-factor VPN options The presentation will cover: • Overview of VPN Offerings • Benefits • Deployment Approach

3. VPN (Virtual Private Network) offers remote agency sites and users a secure internet connection to the VITA Enterprise Network • A VPN connects remote sites and users together by securely routing remote private networks over the Internet without the need for end-users to acquire additional hardware or software • As part of the ongoing transformation, the IT Infrastructure Partnership will begin transitioning all legacy VPN (Virtual Private Network) users to an Enterprise VPN • Enterprise VPN access rights that can be tailored to individual users, such as employees, contractors, and/or partners to provide the right level of access to the VITA Enterprise Network Note: VPN offerings are subject to governing policies SEC501 and SEC511

4. Security Related Benefits of VPN • Single Point of Contact • SOC • Intrusion Detection • Least Privileged • Well-Defended • Strong Cisco & Juniper support

5. Non-Security Related Benefits of VPN • Reduces Site Costs – Workers can work from home or other locations allowing agencies to lease smaller facilities • Supports Telework Initiatives – Promotes the Commonwealth of Virginia’s telework initiative, helps the environment, provides the option of allowing employees to work from home or remotely, and reduces strain on the transportation infrastructure • Supports Remote Business Meetings -- Bring services to your customers and extend geographic connectivity. Bring the power of your office to a client’s kitchen table, bedside, or work site • Improves Productivity – Enable employees to work after hours more easily

6. The ITP offers agencies single and two-factor authentication options for VPN access to the VITA Enterprise Network… Single-factor Authentication Two-factor Authentication This option is recommended for medium or low security data and application access. It only requires one factor to enable network access: the ID and password. For low to medium data security needs For high data security needs This is the most secure option. It requires two-factors to enable network access: ID and password plus key fob verification. …agencies can choose one, both or a combination of the two options to meet differing levels of employee data security needs *See appendix for complete list of ports supported by the single-factor solution

7. Most users are upgraded to enterprise VPN during transformation Deployment Approach • IT Infrastructure Partnership will begin transitioning most legacy VPN (Virtual Private Network) users to the Enterprise VPN following their agency’s messaging and network transformations • In order for single-factor or two-factor VPN to be installed, agencies must be cross-connected to the MPLS network • Single-factor VPN also requires a synchronized agency user base directory, with COV accounts for those receiving VPN services • Two-Factor Processes • Initial request, approval, and support processes • Catalog process • Other • AITRs will need to identify VPN needs within their agencies and approve all VPN requests • Migration will consist of an initial “bulk migration” to single-factor authentication at the agency sites • Post-transformation requests for single-factor VPN should be routed through the VCCC Service Desk by calling 1-866-637-8482. Token requests, a requirement for the two-factor solution, must be entered in eVA. Single-Factor Pilots and Evaluations 1 Transform Top 20 Agencies 2 Deploy VPN Across the Full Enterprise 3

8. Transformation Project Objective Convert legacy VPN users to CESC-based single-factor VPN or add new users to this solution Single-factor Enterprise VPN Agency Migration Process Responsibilities PRE-MIGRATION DURING MIGRATION POST- MIGRATION Agency • Provide list of all people getting VPN IT Partnership Team • Verify data accuracy Agency • Distribute job aids to users IT Partnership Team • Establish accounts • Distribute Cisco VPN software to target machines • Test connectivity • Notify VCCC that agency has transitioned Agency • Sign acceptance documents IT Partnership Team • Add individual users as required

9. Transformation Project Objective To migrate existing agency-based two-factor users to the CESC-based system or to add new two-factor users as appropriate Two-factor Enterprise VPN Agency Migration Process Responsibilities PRE-MIGRATION DURING MIGRATION POST- MIGRATION Agency • Decide how many agency end-users will need two-factor authentication so that the correct number of key fobs are provided to the agency • Identify any legacy VPN users • Provide a list of users who need new key fobs and the key fob serial numbers from any legacy users IT Partnership Team • Verify data accuracy with agency personnel Agency • Distribute appropriate training materials and job aids • Provide testers to ensure correct operation • Agency ISO distributes key fobs to end-users IT Partnership Team • Load key serials • Set up user accounts • Load Cisco VPN client on all target machines • Test functionality • Notify VCCC that agency has been cut over Agency • Sign acceptance documents IT Partnership Team • Add individual users as required

10. Questions?

11. Appendix

12. The single-factor solution will allow users to access systems operating under the following ports: