An email received on March 10, 2023 has just upheld Cerritos College’s policy of blocking access to Virtual Private Networks, also known as VPNs. VPNs are a type of tool used that creates a “tunnel” between a computer and another trusted server, allowing the user to bypass any local restrictions on a network and have their connections appear to originate from somewhere else. They are commonly used for accessing local intranets, escaping content filters and censorship, and getting around restrictions on network access; for instance, Southeast Missouri State University (SEMO) provides its students with access to a VPN for when they need to circumvent blocks on protocols like SSH at the standard network level.
In her investigation into Cerritos College’s network, FM Amy Parker revealed that the Cerritos College network blocks many services. The two that were the focus of the investigation were SSH, a protocol used for remotely accessing other computers, and ICMP, a critical network information protocol. A reasonable solution for students would be to use a VPN; now, not everyone can afford one/set their own VPN up, so the college could have provided access to one for students for free, like SEMO. Instead, they completely block all of the major VPN protocols (L2TP/IPsec, OpenVPN, WireGuard, and SSH). This was included on FM Parker’s original report about the Department of Information Technology on January 23, 2023.
To clarify why they were blocked, and petition for their unblocking, she contacted Director of Information Technology Patrick O’Donnell via the Information Technology Helpdesk on February 27. (For the purposes of transparency and accountability, this was request #65845.)
Why are VPN protocols (OpenVPN, WireGuard, and L2TP/IPsec) blocked on the Cerritos College network?
Founding Member Amy Parker
It took ten days for O’Donnell to respond, even after a follow-up email had been sent. He gave a short response, and immediately closed the ticket afterwards:
We do not allow these items for security reasons. They bypass our firewalls.
Director of Information Technology Patrick O’Donnell
By closing the ticket, all communication effectively shut down; previous communications have shown that a closed ticket leads to no responses to further follow-up/clarification emails within the Department. FM Parker did send a follow-up email, directly CC’ing Director O’Donnell to ensure that it would be received. No response has been received at the time of publication.
How does bypassing the firewalls threaten the college’s security? And isn’t this just security through obscurity – forcing people who need access to services blocked by the college to use more unreasonable methods of accessing the internet?
Founding Member Amy Parker
This is a major problem for information access at the College. Given the censorship and tracking – which VP/AS of Business Services Felipe Lopez and President Jose Fierro have confirmed no meaningful information will be provided to students about – students need access to VPNs to protect their privacy, security, and ability to access services. Blocking VPNs – for no valid reason, as addressed above – only hurts students. It’s also security by obscurity; anyone can “bypass [the] firewall” by simply designing a new protocol to attack the college’s infrastructure.
The OIC opposes these attacks on the freedom of students in the strongest terms possible. It also supports the future development of “undetectable” VPN protocols like the ACC protocol, and encourages others to help contribute to such programs.
Monica Hanson