ISO Position Paper

Position Title: Princeton Private Network Access

Position Audience: Princeton IT Professionals

Contact: Information Security Office: [email protected]

Position Release Date: June 9, 2021

Problem Statement

System administration and direct access to critical infrastructure residing on Princeton’s Private
Network (PPN) is often necessary for the management and usage of services residing there.
However, the PPN was designed to be physically and logically separate from the general
campus data network (CDN). The University is unable to maintain the security of the PPN if it is
accessed through uncontrolled, unmanaged environments.

ISO Position

Ideally, the PPN is accessed through dedicated workstations residing solely on the PPN.
However, it is often necessary to access PPN through a machine which has network interfaces
on both the CDN and PPN (known as multi-homing). When this business requirement exists,
the multi-homed access should only be done through OIT managed bastion hosts protected by
multi-factor authentication. Bastion hosts should only be accessible from the campus network or
VPN.

Additional Information

In addition, only centrally managed (by OIT) and hardened workstations should be allowed to
access University bastion hosts. Unmanaged or personally-owned workstations should not be
allowed to access bastion hosts in order to establish end-to-end trust.

Data classification: Public