ISO Position Paper
Position Title: Princeton Private Network Access
Position Audience: Princeton IT Professionals
Contact: Information Security Office: [email protected]
Position Release Date: June 9, 2021
System administration and direct access to critical infrastructure residing on Princeton’s Private
Network (PPN) is often necessary for the management and usage of services residing there.
However, the PPN was designed to be physically and logically separate from the general
campus data network (CDN). The University is unable to maintain the security of the PPN if it is
accessed through uncontrolled, unmanaged environments.
Ideally, the PPN is accessed through dedicated workstations residing solely on the PPN.
However, it is often necessary to access PPN through a machine which has network interfaces
on both the CDN and PPN (known as multi-homing). When this business requirement exists,
the multi-homed access should only be done through OIT managed bastion hosts protected by
multi-factor authentication. Bastion hosts should only be accessible from the campus network or
In addition, only centrally managed (by OIT) and hardened workstations should be allowed to
access University bastion hosts. Unmanaged or personally-owned workstations should not be
allowed to access bastion hosts in order to establish end-to-end trust.
Data classification: Public