wireless access policy for meeting house ?

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
Post Reply
The_Earl
Member
Posts: 278
Joined: Wed Mar 21, 2007 9:12 am

#21

Post by The_Earl »

lajackson wrote:Well, this is a concern. I would not want to have folks trying to access inappropriate sites just to find out that websense on the PIX is not working. Is there a better way to know when websense gets knocked out?

Or is a reboot of the PIX after a thunderstorm a better way to go?
If your power is anything like mine, we get brownouts / glitches frequently that are not related to weather at all.

I don't think a manual restart is going to happen often enough, or quickly enough after a glitch to serve the purpose you need it to.

A small home or office UPS will run the router and modem for a long time, and should help them come back up after a power outage cleanly. They are pretty cheap. I would make the investment.

The Earl
Top
The_Earl
Member
Posts: 278
Joined: Wed Mar 21, 2007 9:12 am

#22

Post by The_Earl »

jdlessley wrote:...After working with OTSS technicians we determined that power grid interruptions in the area cause momentary power loss, a second or less, which in turn cause faulty operation of the PIX. There is a program in the PIX called websense that provides the filtering. It can be knocked offline and the default for the PIX is to allow internet access rather than blocking internet access when websense is off line....
This is unacceptable. I do not understand how a network protection device could be set to 'fail safe' with access open? I am mostly ignorant of how PIX firewalls work, but how can something that sophisticated fail so easily?

If it is this easy to get around the filter inadvertently, how much easier is it to specifically target, especially now that the information is public.

Any Cisco gurus out there have any idea how to get a PIX to fail secure?

The Earl
Top
jdlessley
Community Moderators
Posts: 9923
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#23

Post by jdlessley »

The Earl wrote:This is unacceptable. I do not understand how a network protection device could be set to 'fail safe' with access open? I am mostly ignorant of how PIX firewalls work, but how can something that sophisticated fail so easily?

If it is this easy to get around the filter inadvertently, how much easier is it to specifically target, especially now that the information is public.

Any Cisco gurus out there have any idea how to get a PIX to fail secure?

The Earl
There is a switch, or a line of code, in the PIX that can either deny access to the internet when websense is off line or it can permit access. As it was explained to me they tried the 'deny access' route before and ended up with too many service calls to handle. This is a decision that GSD/OTSS has made based on experience. This line of code can be set at each PIX. It appears they are trying to maintain standardization to one setting. Maybe we can convince them to permit the local leadership to decide which default to set the PIX.

Just to explain further (as it was told to me by an OTSS technician), websense can be dropped off or knocked off line when the PIX has a memory overrun (not enough memory available to run websense). How this happens I don't know. Brief power interruptions appear to be able to cause this event to happen.
Top
Post Reply

Return to “Meetinghouse Internet”