Self-Maintenance VPN Agreement

PrintPrintDownload PDFDownload PDF

SWAN employs a variety of methods to establish secure network connections with its member libraries in order to transmit patron, item, and checkout data through the shared Integrated Library System (ILS) and associated databases. To maintain consistency in the configuration of the network devices necessary to achieve these functions, SWAN was solely responsible for determining the appropriate security device, configuring, and managing that device for each individual member library. Presently, Dell SonicWALL firewalls are in-place at each library to serve this purpose, and are deployed in a variety of models and configurations as necessary to suit the individual network needs of each library.

With dedicated library IT staff becoming more common in SWAN’s member library environments, it is possible, in certain situations, to maintain the same level of network security and stability while also allowing administration of the VPN/firewall devices by member library IT staff, independently from SWAN’s staff. For SWAN member libraries that wish to utilize their own contracted IT to manage their library network security and stability, this agreement outlines responsibilities should they wish to manage their VPN independent of SWAN.

By signing this document, you agree to the following terms relating to the operation of your library’s internal network and firewall equipment:

Library Liability for Security and Data Integrity

SWAN staff and affiliated parties are in no way responsible for any network breaches or data loss (including outages) that occur as a result of this agreement and the self-maintenance program. By signing this document, the library takes full responsibility for any and all damages incurred to its local network, the ILS, and associated member libraries in the event of a breach or outage, if determined to have been related to negligence of the library or contracted technical staff.

Separation of Externally-Facing Servers and Equipment

Servers/devices accessible from the Internet (email server, web server, DVR, etc.) should be placed in a network segment (or DMZ) with limited access to the network that has access to the SWAN VPN and servers. 

Separation of Patron and Staff Computers

No public computer should be able to access the SWAN network, with exceptions being a self-check, reservation systems, or other systems approved by SWAN IT staff on a case by case basis.

VPN Encryption Parameters for Access to SWAN 

Parameters to establish the VPN tunnel to SWAN ILS servers will be selected in a configuration considered to be cryptographically secure by SWAN IT staff.  Authentication will be accomplished via pre-shared key (PSK) or a certificate provided by SWAN.

Hardware Utilized for VPN Connectivity

SWAN offers a recommended standard firewall appliance of Dell SonicWALL. We tailor specifications and specific SonicWALL models based on individual library need. While the firewall hardware must ultimately be approved by SWAN prior to purchase and implementation, libraries are not solely confined to the models and configurations offered by Dell SonicWALL. Self-maintaining libraries are permitted to seek hardware by other network vendors or even pursue virtualized solutions.

Troubleshooting of Connectivity Issues 

SWAN will maintain a backup of the aforementioned member library’s SonicWALL from the time administrative access was granted, but all future administration, maintenance, and troubleshooting of the SonicWALL hardware will be performed solely by the library’s IT staff. SWAN’s troubleshooting will be limited to ensuring VPN connectivity. 

Read-only SNMP for VPN Monitoring

So that SWAN may determine the root cause of network issues, SNMP must be enabled and maintained over the SWAN VPN connection at all times so that SWAN is able to ensure network stability.

Centralized Dell GMS Support 

Continued participation in the SWAN Global Maintenance Service (GMS) support is optional. Library IT staff should consider SWAN’s GMS as it allows for centralized backups and monitoring of the unit. Dynamic GMS support could also be extended to self-maintained library units, but the library would not be able to have the device in their individual MySonicWALL account. In this configuration, library staff would have to contact SWAN IT for updated firmware and other downloads.

This agreement may be revoked or terminated by SWAN administration or library administration at any time and for any reason if it has been determined that self-administration has been unsuccessful. At such a time, full access to the Dell SonicWALL or alternate equipment used for maintaining the SWAN VPN connection would be reinstated to SWAN IT staff, and the administrating member library would relinquish responsibilities and control of the firewall unit to SWAN IT staff. Should an updated agreement become available, library administration and SWAN staff will be required to sign-off on the updated agreement to maintain its integrity.

By signing this certification page, the SWAN member library’s administration signifies that he/she has read and understands the risks and challenges associated with self-maintenance of the SonicWALL / virtual private network. 

For questions and assistance, contact SWAN IT.

 

Please print this document for signing. Return to SWAN via scanned PDF to it@swanlibraries.net.

Library Name:

________________________

Library Administrator's Name (If Applicable):

________________________

Library Administrator's Signature:

________________________Date:__________________

SWAN Administrator's Signature:

________________________Date:___________________

Type: