General Access filtering

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
User avatar
aebrown
Community Administrator
Posts: 14693
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

General Access filtering

Postby aebrown » Wed Aug 13, 2008 12:22 pm

jdlessley wrote:There are only two types of filtering for CCNs. For family history centers the filtering is 'LDS Extended Access.'


While I agree with almost everything jdlessley said, the above statement is not accurate. Family History Centers typically have a different kind of filtering, which is neither LDS Extended Access nor LDS Restricted Access. What they actually have is called "General Access" and is considerably more lenient than LDS Extended Access.

This was discussed at length in the thread "LDS Extended Access is quite restricted" and if you look at this post, you will see a screen shot that shows the block message which specifies an access level of General Access.

Our stake center has a FHC with General Access filtering. Another building has the new ASA firewall with LDS Extended Access filtering, and its filtering is quite a bit more restrictive than the stake center's.

Since I do not know the details of every FHC configuration, I will certainly grant the possibility that there are some FHCs that use LDS Extended Access, but I have not heard of any, and I know of at least three FHC installations that use the General Access filtering.

jdlessley
Community Moderators
Posts: 6526
Joined: Sun Mar 16, 2008 11:30 pm
Location: USA, TX

Postby jdlessley » Wed Aug 13, 2008 12:40 pm

Alan_Brown wrote:Family History Centers typically have a different kind of filtering, which is neither LDS Extended Access nor LDS Restricted Access. What they actually have is called "General Access" and is considerably more lenient than LDS Extended Access.
I have not seen that term, "General Access" used in any Church documentation. Can you give me a Church source? I am aware in the threads you refer there is a noted difference between the 'LDS Extended Acces" type found in FHCs and the type found for units installing their own access to the internet and using the firewall other than the Cisco PIX 501.

Based on Greggo's posts that mention two important pieces of information I believe he is dealing with the FHC standard "LDS Extended Access" that has been in place before any changes that were promulgated as a result of the February internet access initiative.
When I tap into the wireless network with my laptop, it is not restricted in any way, so the issue is only on the ward desktop computer.
and
The wireless network was setup by the ward tech specialist at the request of the bishop back in Apr...
JD Lessley
Have you tried finding your answer on the LDS.org Help Center page or the LDSTech wiki?

jdlessley
Community Moderators
Posts: 6526
Joined: Sun Mar 16, 2008 11:30 pm
Location: USA, TX

Postby jdlessley » Wed Aug 13, 2008 12:54 pm

Alan, I'm not trying to be contrary in the least. It is just I have not seen the term "General Access" before your post above. I will agree there are differences between the FHC filtering and the filtering associated with the ASA firewall.

I don't believe we ever found out what exactly the ASA firewall filtering restricts. I sure would like to know for future reference.
JD Lessley
Have you tried finding your answer on the LDS.org Help Center page or the LDSTech wiki?

User avatar
aebrown
Community Administrator
Posts: 14693
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Wed Aug 13, 2008 12:55 pm

jdlessley wrote:I have not seen that term, "General Access" used in any Church documentation. Can you give me a Church source? I am aware in the threads you refer there is a noted difference between the 'LDS Extended Acces" type found in FHCs and the type found for units installing their own access to the internet and using the firewall other than the Cisco PIX 501.


I don't have any Church documentation that covers "General Access". But if you look closely at the thread I referenced, you will see an actual screen shot where the Cisco PIX in a FHC reports that the access level is "General Access"; you will also see actual screen shots where the Cisco ASA firewall in a new Meetinghouse Internet installation reports that the access level is "LDS Extended Access." This, along with the actual experience I mentioned (where different sites are blocked in these two installations), conclusively proves that there is a difference.

You refer to "LDS Extended Access type found in FHCs", but I see no justification for using the label "LDS Extended Access" for FHC filtering which itself reports the access level as "General Access" and which is substantially different from the other filtering that is clearly documented as (and reports itself as) "LDS Extended Access" as part of the Meetinghouse Internet program.

I assume the reason it is hard to find any Church documentation on General Access is that this type of filtering was installed many years ago under the direction of the Family History Department -- quite a different process than we follow now for administrative computers. I did the installation of the original Internet connection in our FHC using a SonicWall firewall, and also the replacement of that firewall with a Cisco PIX 501 a few years later. In neither case was there any background documentation -- I simply received installation instructions that said to connect these cables and run these programs.

jdlessley
Community Moderators
Posts: 6526
Joined: Sun Mar 16, 2008 11:30 pm
Location: USA, TX

Postby jdlessley » Wed Aug 13, 2008 12:59 pm

The only source of my use of the term LDS Extended Access comes from several technicians at GSD/OTSS who use that term in reference to the filtering at the FHC.

I will now use the differentiated terms for future posts.
JD Lessley
Have you tried finding your answer on the LDS.org Help Center page or the LDSTech wiki?

User avatar
aebrown
Community Administrator
Posts: 14693
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Wed Aug 13, 2008 1:04 pm

jdlessley wrote:The only source of my use of the term LDS Extended Access comes from several technicians at GSD/OTSS who use that term in reverence to the filtering at the FHC.

I will not use the differentiated terms for future posts.


Thank for the clarification, and also for a bit of a chuckle. Although the filtering at the FHC is certainly praiseworthy, I reserve my "reverence" for more spiritual things.:D

It would be nice to get some documentation that made all this clear. I also wish there were only two kinds of filtering; it doesn't seem that helpful to have three levels, particularly when one of them is not documented.

jdlessley
Community Moderators
Posts: 6526
Joined: Sun Mar 16, 2008 11:30 pm
Location: USA, TX

Postby jdlessley » Wed Aug 13, 2008 1:11 pm

If you can' laugh at yourself...

Also note that I changed the word 'not' to 'now'. You quoted before I could make the change.
JD Lessley
Have you tried finding your answer on the LDS.org Help Center page or the LDSTech wiki?

User avatar
Mikerowaved
Community Moderators
Posts: 3133
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Postby Mikerowaved » Wed Aug 13, 2008 6:02 pm

Here's a question I haven't seen tossed around yet. We currently have an older FHC in our Stake Center operating without a Cisco box. (Yeah, I know...) The administrative computers in the same building are still on dial-up. I have in front of me a Church-issued ASA 5505 that I will install there tomorrow, which will (of course) only affect the FHC computers. Saturday, we have a crew coming in that will lay CAT5e from the Cisco box to the 3 ward clerk's offices and the stake offices. I'm not the STS, but I've been asked to assist because of my background.

Here's my question... Would there be any problem in installing a 2nd firewall/router (like a Linksys, Netgear, D-Link, etc.) to put just the administrative PCs behind? My thinking is, with the right configuration it would not only allow us isolate the administrative PCs from the FHC, but using the router's built-in filtering capability, we could further restrict the internet access of the administrative computers to something more like LDS Restricted Access. Not that we want to be draconian about the whole thing, but it would sure give us some flexible options to tighten things down should we start seeing abuse.
So we can better help you, please edit your Profile to include your general location.

User avatar
aebrown
Community Administrator
Posts: 14693
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Wed Aug 13, 2008 7:52 pm

Mikerowaved wrote:Here's a question I haven't seen tossed around yet. We currently have an older FHC in our Stake Center operating without a Cisco box. (Yeah, I know...) The administrative computers in the same building are still on dial-up. I have in front of me a Church-issued ASA 5505 that I will install there tomorrow, which will (of course) only affect the FHC computers. Saturday, we have a crew coming in that will lay CAT5e from the Cisco box to the 3 ward clerk's offices and the stake offices. I'm not the STS, but I've been asked to assist because of my background.

Here's my question... Would there be any problem in installing a 2nd firewall/router (like a Linksys, Netgear, D-Link, etc.) to put just the administrative PCs behind? My thinking is, with the right configuration it would not only allow us isolate the administrative PCs from the FHC, but using the router's built-in filtering capability, we could further restrict the internet access of the administrative computers to something more like LDS Restricted Access. Not that we want to be draconian about the whole thing, but it would sure give us some flexible options to tighten things down should we start seeing abuse.


It's been made pretty clear that as long as the firewall sits between the Internet and the rest of the network, local units can configure the rest of the network as they see fit. In my Meetinghouse Internet implementation, I chose to install a router in addition to the firewall because I was instructed to provide wireless capability, and these days a router with wireless is about the same price as a wireless access point, so I decided I might as well get the extra flexibility.

The most relevant post I can find would be this one, where it is made clear that the selection of any networking is the responsibility of the stake:
tsheffield wrote:This program puts the costs of install and on going monthly on the budget of the stake, as well as the selection, cost and installation of any networking that the stake may choose to employ.

User avatar
Mikerowaved
Community Moderators
Posts: 3133
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Postby Mikerowaved » Wed Aug 13, 2008 8:21 pm

Alan_Brown wrote:It's been made pretty clear that as long as the firewall sits between the Internet and the rest of the network, local units can configure the rest of the network as they see fit. In my Meetinghouse Internet implementation, I chose to install a router in addition to the firewall because I was instructed to provide wireless capability, and these days a router with wireless is about the same price as a wireless access point, so I decided I might as well get the extra flexibility.

The most relevant post I can find would be this one, where it is made clear that the selection of any networking is the responsibility of the stake:

Thanks Alan, that's pretty much what I thought. Yeah, I'll also be using several older "g" routers, but these will be configured strictly as WAPs and placed at strategic points around the building.
So we can better help you, please edit your Profile to include your general location.


Return to “Meetinghouse Internet”

Who is online

Users browsing this forum: No registered users and 1 guest