I work in a large private residence hall at a major university. Our network is part of the larger network, but we control only the subnets attached to the university router. They control the router.
At present, our network and the university's is pretty wide open. We all have public IPs.
Our administrative staff comprise an organizational unit within a campus wide windows domain.
We will be soon installing a residence hall management system that will contain personal data of our residents, and we have to come up with a security solution.
The simplest approach I've considered is to put our servers behind a router and limit traffic with ACLs. I am not very familiar with ways this might be defeated, such as spoofing an IP.
Additionally, more and more of our staff are requesting to work from home. Presently, they connect to their windows machine using remote desktop. We have no real control over their home machines.
We have a small staff and not much bidget this year so a state of the art firewall/vpn concentrator is not going to happen soon.
Any thought appreciated