The following policies address connectivity into the state network from any entity that resides outside the state network. This includes third party entities' connectivity into the state network via both the public Internet and private circuits.
A. All connections from any entities (state or third party) that reside on the outside of the state network must be made via a virtual private network (VPN) connection using industry-standard IPSec or SSL protocols.B. VPNs may be client-based or LAN-to-LAN based.1. Client-based VPNs are VPNs in which software (client) is installed on a remote user's computer and a secure connection is made between that VPN client and a VPN-capable terminating device. (i.e. VPN concentrator, firewall, router, server).2. LAN-to-LAN VPNs are VPNs that are created between a VPN-capable device on a third party network and a VPN-capable device on the state network.C. For client-based VPNs, split-tunneling must be disabled on any device (firewall, VPN Concentrator, etc.) used to terminate VPNs inside the state network.1. It should be understood that split tunneling is defined as having the ability to participate in a LAN while connected to the state Network via VPN. To meet the requirement of disabling split tunneling, it is required that all network activity for the client pc be redirected down the tunnel. Both listening services and browsing services must be redirected to the VPN so that no LAN activity can take place, regardless of whether it is initiated by the client pc or by another device on the LAN.2. Any device (including SSL VPN appliances) that cannot fully disable split tunneling while the tunnel is connected (as defined above) does not meet the requirements or intent of this security policy.D. For both client-based and LAN-to-LAN VPNS, tunnels must be limited with access-restrictions that are granular enough to restrict all inbound traffic to both IP addresses and specific TCP/UDP ports. The list of addresses and ports allowed must only include what is necessary for the applications used by the remote users.E. ITS maintains Cisco VPN termination devices to establish client-based and LAN-to-LAN VPNs for access to resources on the state network.1. All LAN-to-LAN VPNs will be implemented using the IPSec protocol.2. Any third party entity that needs an inbound connection to the state network must provide and maintain a compatible industry-standard IPSec-capable VPN hardware/software solution at their end of the connection. VPNs must be addressed using public IP addresses registered to that entity, including the peer address and any networks at the third party that will be encrypted by the tunnel. The ITS side of the connection will adhere to the same requirements, but with the public IP addresses provided by ITS.3. Client-based VPNs may be implemented with IPSec or SSL.F. At no time may an agency permit a third party entity to connect directly to their local area network behind the state's border firewall and/or the agency's firewall. This includes terminating third party circuits behind ITS and agency firewalls and/or utilizing a PC remote control product (unless approved in writing by ITS) via a dialup or Internet connection. This does not include remote support applications that require real-time interaction by the agency end user, such as Go To Assist and WebEx.G. If an agency provides dial-in access to agency personnel either via a remote access service or PC modem on their LAN or via an outsourced remote access service, the agency must implement a firewall to control access to and from the local area network by the dial users. The agency will be held responsible for any dial user that uses their facilities to access and manipulate or abuse any other facility.H. It is essential that all access to the state's network be terminated immediately upon the retirement, resignation, dismissal, end of contract, or any and all other actions that signal that the requirements for having a connection are no longer being met.I. At no time should any employee, vendor or account holder provide their login, user information or password to anyone. Employees, vendors or account holders are assigned individual accounts that must never be treated as a shared account. Miss. Code Ann. § 25-53-1 to § 25-53-25.