eduvpn safe and trusted · •new apps ui -> easier to use for non-tech users •continue to...
TRANSCRIPT
![Page 1: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/1.jpg)
www.geant.org
eduVPNSafe and Trusted
Rogier Spoor, SURFnet
Tangui Coulouarn, DeiC
TNC19, Tallinn, 18 June 2019
![Page 2: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/2.jpg)
www.geant.org
• Why eduVPN?• What has been done?• How to deploy & service model• Future work/roadmap
Agenda
![Page 3: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/3.jpg)
www.geant.org
Safe and trusted
Securing access for remote staff and students
![Page 4: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/4.jpg)
www.geant.org
Why do we need eduVPN?
Working away from the office is the norm - Hotels, Cafes, Airports and Train Stations are the new offices
“How can I get WiFi?” is often the first question when attending meetings outside the office
BUT not all WiFi is born equal….
• While eduroam is a secure environment with authenticated access and local encryption many public WiFi services are not
• Unsecured hotspots
• Shared access passwords
• “Free” WiFi with web login screens
Are our users (and their data) safe?
![Page 5: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/5.jpg)
www.geant.org
The Risks of public WiFi
For Users
Unprotected WiFi can expose usernames and passwords
Content filtering on public WiFi may deny access to sites
Possibility of malware injection
Unknown and untrusted proxies could redirect users to fraudulent sites
For IT Support
Managed devices can insecurely connect to unknown networks
Risk of data loss
Ad-hoc, unmanaged VPN solutions may proliferate
![Page 6: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/6.jpg)
www.geant.org
eduVPN provides easy-to-use client software and a secure gateway to authenticate users and encrypt data.
eduVPN - securing access for remote users
Insecure public Wi-Fi
R&E Backbone
eduVPN Gateway
User authentication via eduGAIN
Institution Network
Authenticated &Encrypted Connection
Secure VLAN Connection
Public Internet
PrivateConnectivity
![Page 7: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/7.jpg)
www.geant.org
• Secure Internet: eduVPN instance gives access to the public Internet.• Possibility for guest access• Possibility for filtering for undesired traffic, services or content (e.g.
add-free profile implemented in Germany)• Privacy and security enhancing
• Institute access: eduVPN gives access to private resources• Stand-alone implementation• Managed service• Possibility for strong authentication• Profiles for different users/groups
The 2 uses of eduVPN
![Page 8: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/8.jpg)
www.geant.org
Open-Source VPN software comparison
Product Technology Scalable Encryption Audit Hide trafficRebrandable apps
Enterprise Identity
AlgoIPsec & IKEv2
Personal or small scale
Modest -Good No no no no
WireGuard WireGuardProtocol supports CPU scaling
State of the Art
Formal verification no Yes no
PPTP PPTP Not really Bad yes no no no
SoftEther VariousLarge scale/enterprise
Modest -Good Fuzzing yes yes no
OpenVPN 2.xOpenVPN 2.x
Personal or small scale
Modest -Good Yes, various yes no no
eduVPN - Let's Connect!
OpenVPN 2.x
Large scale/enterprise Good
Clients and Server yes Yes yes, SAML
OpenConnectAnyConnect
Large scale/enterprise
Modest -Good Unknown yes Yes
Work in Progress
![Page 9: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/9.jpg)
www.geant.org
![Page 10: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/10.jpg)
www.geant.org
Audited apps for different platforms
• iOS• MacOS• Windows• Android• Linux
All eduVPN software approved by GÉANT Dec ’18
![Page 11: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/11.jpg)
www.geant.org
Three Steps to Safety
Step 1 Select Your Organisation Step 2 Choose a Profile
Step 3 Ready to Go
![Page 12: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/12.jpg)
www.geant.org
How is secure internet implemented?
Holland, Denmark, Australia, Uganda, Ukraine, Norway, Germany
7 NRENs currently offering gateways
Each participating NREN offers a gateway to their participating institutions
GÉANT Project co-ordinates development and standards
NREN implementation
![Page 13: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/13.jpg)
www.geant.org
• The technical governance of eduVPN lies in the Commons Conservancy
• The service governance is defined in a policy document• Inspired by eduroam• Largely up to national operators (NRENs) to ensure compliance
in a country• Security and incident response obligations
Policy for a federated service
![Page 14: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/14.jpg)
www.geant.org
• An eduVPN operator can not identity an user alone
• Abuse can be traced to pseudonym when eduVPNinstance is using public IP adresses
• Pseudonym -> person requires collaboration of the originating NREN/IdP
Guest access and abuse redress in a privacy-by-design service
![Page 15: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/15.jpg)
www.geant.org
• Secure Internet: eduVPN instance gives access to the public Internet.• Possibility for guest access• Possibility for filtering for undesired traffic, services or content (e.g.
add-free profile implemented in Germany)• Privacy and security enhancing
• Institute access: eduVPN gives access to private resources• Stand-alone implementation• Managed service• Possibility for strong authentication• Profiles for different users/groups
The 2 uses of eduVPN
![Page 16: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/16.jpg)
www.geant.org
![Page 17: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/17.jpg)
www.geant.org
![Page 18: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/18.jpg)
www.geant.org
• Model currently implemented in the Netherlands
• eduVPN instance managed centrally by SURFnet
• Lightpath back to the private resource
• Support by SURFnet
• No need for hardware on campus or licensing limitations
eduVPN Institute Access as a Managed Service
![Page 19: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/19.jpg)
www.geant.org
• Service Positioning GÉANT• WireGuard support• Investigate other usecases, like server Mesh• New apps UI -> easier to use for non-tech users• Continue to support community• Continue eduVPN pilots
Future steps
![Page 20: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/20.jpg)
www.geant.org
Future app design (impression)
![Page 21: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/21.jpg)
www.geant.org
2014 2016 2017 2018
Involved Organisations
Started simple
VPN webservice
Client app development start.
SIDN fund co-fund the open-
source development.
NORDUnet sponsoring.
Vietsch foundation co-fund
easy-to-use apps.
RIPE Community fund co-fund
development. Software
Governance via Commons
Conservancy foundation.
AARNet, DeiC, NORDUnet,
GÉANT, SURFnet in board.
NLnet opened eduVPN fund.
eduVPN entered GÉANT
project
eduVPN software approved by
GÉANT. URAN, RENU, UNINETT
and DFN run eduVPN pilot.
![Page 22: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/22.jpg)
www.geant.org
![Page 24: eduVPN Safe and Trusted · •New apps UI -> easier to use for non-tech users •Continue to support community •Continue eduVPNpilots Futuresteps. Future app design (impression)](https://reader036.vdocuments.mx/reader036/viewer/2022071000/5fbc3213628cf40c643da4c2/html5/thumbnails/24.jpg)
www.geant.org
GDPR Compliance (extra slide)