Remote Access Device  Standard

Download the PDF version of the Remote Access User Standard.  PDF file

Standard Information

Responsible Offices

IT Security Office (ITSO)

Additional Information
Document Control Number

ITS.ITSO-STD007

Last Reviewed Date

3/14/2024

Applies To

This standard applies to ITS personnel who maintain the VPN system for George Mason University.

Purpose

This document lists the standards used to support the University’s VPN system.

Definitions

Remote Access Software: Examples include RDP and SSH: RDP is a remote access communications protocol available on MS Windows operating systems. Secure Shell is a remote access protocol typically used with Unix/Linux based operating systems.

Virtual Private Network (VPN): VPN is a remote access service that creates a secure tunneled connection between an internet user and a trusted network. A VPN is used to provide an additional layer of security for remote access or to provide a presence on an internal network.

Remote Access Device Standard

All remote access gateway devices shall meet the following requirements:

  1. VPN tunnels must use industry-standard strong encryption.
  2. VPN must prevent split tunneling, with an allowed exception for local network access.
  3. Active VPN sessions must time out after no more than 12 hours. Idle VPN sessions shall time out after no more than 60 minutes.
  4. Direct remote access to internal University network devices using any method other than the university enterprise VPN is prohibited unless an exception has been submitted, reviewed, and approved. Passwords shall, at a minimum, comply with the University’s password complexity requirement.

Exceptions

See exceptions and exemptions section in the University IT Security Standards: IT Security Standards – Information Technology Services (gmu.edu).

Timetable for Review

This standard will be reviewed every 2 years at minimum.

Revision History

VersionDateOrganization/AuthorDescription of Changes
2.06/26/2018IT Security OfficeUpdates
2.11/10/2020IT Security OfficeAnnual Review; Minor Revisions (reformatting)
2.22/15/2021IT Security OfficeAnnual Review; Minor Revisions (reformatting)
2.33/16/2023IT Security OfficeAnnual Review; Minor Revisions (reformatting and minor clarifications)
2.43/14/2024IT Security OfficeAnnual Review: Minor revisions to the definitions of virtual private network and remote access software have been made, along with clarification of standard requirement 4. Added exception statement.