Page 1 of 2

Difference between FHCs and Meetinghouse Internet?

Posted: Tue Apr 21, 2009 10:22 pm
by kalebpederson
Our stake center has had internet access for quite some time since it was needed for our family history center. We had a PIX installed and the building was wired with CAT-5 cable at that time. If I understand correctly, we were among the first to have one of the PIXs and the internet filtering at that time was nearly unusable. Although I no longer have access to the PIX, I believe that part of the security restrictions were bypassed and that we have full access to the Internet.

What are the differences between the above setup and the Meetinghouse Internet? I can get to gambling.com, which I suppose is a valid test indicating that our PIX is not configured correctly, can anybody confirm this? Lastly, can anybody fill me in on sufficient details so I can keep following up until this is configured correctly.

Thanks.

--Kpederson

Posted: Tue Apr 21, 2009 10:38 pm
by aebrown
kpederson wrote:Our stake center has had internet access for quite some time since it was needed for our family history center. We had a PIX installed and the building was wired with CAT-5 cable at that time. If I understand correctly, we were among the first to have one of the PIXs and the internet filtering at that time was nearly unusable. Although I no longer have access to the PIX, I believe that part of the security restrictions were bypassed and that we have full access to the Internet.

What are the differences between the above setup and the Meetinghouse Internet? I can get to gambling.com, which I suppose is a valid test indicating that our PIX is not configured correctly, can anybody confirm this? Lastly, can anybody fill me in on sufficient details so I can keep following up until this is configured correctly.
Church policy requires that a firewall be installed and functioning for all Church computers connected to the Internet, whether in a FHC (typically using a PIX) or under the Meetinghouse Internet program (typically using an ASA firewall). This policy is for the protection of all users of these computers, the local leaders, and the Church.

Configuring the networking properly is the responsibility of the Stake Technology Specialist -- I don't know if that is your role or not. In any case, the STS should check out the network and make sure that the firewall is properly positioned between the cable/DSL modem and any computers. If not, the cabling should be adjusted to make that true. If the firewall is in the correct position, but is not providing filtering (and yes, trying to access gambling.com is a reasonable test for that), then that must mean that the firewall has been reconfigured locally in a way that disables the Church's standard filtering configuration. In that case, the STS should work with the Global Service Desk to get the firewall properly configured.

Posted: Wed Apr 22, 2009 12:27 am
by russellhltn
kpederson wrote:If I understand correctly, we were among the first to have one of the PIXs and the internet filtering at that time was nearly unusable.
While I've had a few run-ins with the firewall, it's never been serious. (And I've had the device before the PIX.) I've never felt that it was unreasonable. What kind of problems were you having?

As Alan stated, it's against policy to bypass the firewall.

Posted: Wed Apr 22, 2009 10:06 am
by kalebpederson
RussellHltn wrote:While I've had a few run-ins with the firewall, it's never been serious. (And I've had the device before the PIX.) I've never felt that it was unreasonable. What kind of problems were you having?
We contacted them and they indicated that the machines doing the filtering were running way beyond capacity. Hence, they were working correctly but not able to keep up.

--Kpederson

Posted: Wed Apr 22, 2009 10:09 am
by kalebpederson
Alan_Brown wrote: Configuring the networking properly is the responsibility of the Stake Technology Specialist -- I don't know if that is your role or not. In any case, the STS should check out the network and make sure that the firewall is properly positioned between the cable/DSL modem and any computers.
It's physically positioned correctly and handing out the private IPs / DNS information as it should. I believe that the filtering was disabled or an all-encompassing whitelist was dropped in. I'll follow up with our STS and stake president again.

Thanks.

--Kpederson

Posted: Wed Apr 22, 2009 1:03 pm
by jdlessley
kpederson wrote:It's physically positioned correctly and handing out the private IPs / DNS information as it should. I believe that the filtering was disabled or an all-encompassing whitelist was dropped in. I'll follow up with our STS and stake president again.

Thanks.

--Kpederson
??????????? If the Church provided firewall was correctly installed there should be no access to it to disable the filtering or to add a whitelist. All of that is managed by a third party system called WebSense. The only thing someone besides the GSD can do is bypass the device. Of course I am ruling out the possibility that someone has hacked the device.

Posted: Thu Apr 23, 2009 9:33 am
by kalebpederson
jdlessley wrote:??????????? If the Church provided firewall was correctly installed there should be no access to it to disable the filtering or to add a whitelist. All of that is managed by a third party system called WebSense. The only thing someone besides the GSD can do is bypass the device. Of course I am ruling out the possibility that someone has hacked the device.
The stake technology specialists, which included myself at the time, were provided instructions that included the enable password for the PIX. So we did have full access to change it, including the remote management features. As I was released shortly thereafter, I'm not sure to what extent its configuration may have been changed.

--Kpederson

Posted: Thu Apr 23, 2009 11:37 am
by jdlessley
kpederson wrote:The stake technology specialists, which included myself at the time, were provided instructions that included the enable password for the PIX. So we did have full access to change it, including the remote management features. As I was released shortly thereafter, I'm not sure to what extent its configuration may have been changed.

--Kpederson
Some time ago units had the option of selecting the default failure mode of the filtering software of the PIX for internet access to either "full access" or "no access". That has been standardized to "no access". It is possible your PIX is set to "full access".

The best course of action is for the stake technology specialist to contact the GSD and have them check the configuration of the PIX. Even if someone has the capability to reconfigure the PIX (has the password) the management of the PIX is done at Church headquarters for a variety of reasons.

Posted: Tue Apr 28, 2009 4:27 pm
by elgaucho-p40
When trying to login to http://new.familysearch.org I am blocked by the firewall. The regular familysearch.org site works fine as does the lds.org main site. Who is the right person to talk to in order to have new.familysearch.org whitelisted?

Posted: Tue Apr 28, 2009 4:40 pm
by aebrown
elgaucho wrote:When trying to login to http://new.familysearch.org I am blocked by the firewall. The regular familysearch.org site works fine as does the lds.org main site. Who is the right person to talk to in order to have new.familysearch.org whitelisted?
The Stake Technology Specialist is responsible for all such issues in the stake. He should know what type of firewall is installed with what filtering level. He can consult with the Global Service Desk regarding specific problems.