Both LDS Restricted Access and LDS Extended Access in one building

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
Oklahoma-p40
New Member
Posts: 2
Joined: Mon Oct 05, 2009 10:38 am
Location: Oklahoma City, Oklahoma, USA

Both LDS Restricted Access and LDS Extended Access in one building

Postby Oklahoma-p40 » Mon Oct 05, 2009 10:55 am

Is it possible to have both access levels in one building? We already have LDS Extended Access for the Family History Center and would like to add LDS Restricted Access for the clerks.


We are currently running the Cisco PIX. I was told that the PIX is older and only is capable of Extended access. The Cisco ASA is newer, but is only capable of running one or the other.


Has anyone found a way to run both levels? Has anyone added a second firewall on the Extended Access network? I though of adding a inexpensive Linksys router behind the PIX and then creating a white-list on the Linksys similar to the Restricted Access for the clerks.


Hopefully the question has already been addressed. Thanks.

User avatar
aebrown
Community Administrator
Posts: 14693
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Mon Oct 05, 2009 11:03 am

Oklahoma wrote:Is it possible to have both access levels in one building? We already have LDS Extended Access for the Family History Center and would like to add LDS Restricted Access for the clerks.

We are currently running the Cisco PIX. I was told that the PIX is older and only is capable of Extended access. The Cisco ASA is newer, but is only capable of running one or the other.


If you have a Cisco PIX in your FHC, then you almost certainly have a filtering level that is called General Access, which filters out bad sites, but is more permissive than LDS Extended Access. So I'm pretty sure it's not accurate to say that you "already have LDS Extended Access."

The Cisco ASA is capable of running any one of the three available access levels: General Access, LDS Extended Access, or LDS Restricted Access. Indeed, it can only be scripted to run one filtering level, as determined by the stake president.

Oklahoma wrote:Has anyone found a way to run both levels? Has anyone added a second firewall on the Extended Access network? I though of adding a inexpensive Linksys router behind the PIX and then creating a white-list on the Linksys similar to the Restricted Access for the clerks.


The firewall will limit anything located behind the firewall, so of course you can't add more permissions through a second router or firewall. But you could add more restrictions with another router or firewall.

I've never heard of anyone putting an ASA behind the PIX. I'm not sure such a configuration is authorized; the policy seems pretty clear that only one firewall is authorized per building. But if you added another router for the subnet used by the clerk PCs, then you could indeed add additional restrictions for that subnet.

russellhltn
Community Administrator
Posts: 20767
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Mon Oct 05, 2009 11:06 am

Actually, since you have a FHC, the PIX should be running something closer to "General Access".

But, to answer your question, I don't know. I think it would require two firewalls connected to one modem. I'm not sure if the church is willing to go that route. You can try and concoct your own filtering system to place between the clerks and rest of the network.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.

jdlessley
Community Moderators
Posts: 6526
Joined: Sun Mar 16, 2008 11:30 pm
Location: USA, TX

Postby jdlessley » Mon Oct 05, 2009 12:24 pm

There are multiple solutions to get one filtering level for the FHC and another for the clerk computers. Alan already has mentioned one where a second router is placed between the PIX and the clerk computers to add additional filtering. This router can incorporate two methods of filtering. A white list (or blacklist, or both - depending on router manufacturer and model) hosted on the router or a web content filtering service such as OpenDNS. ([color=darkred]Disclaimer: I am not connected in anyway with OpenDNS nor do I support it other than in suggesting it as one of several options for services similar to those offered by OpenDNS. You should do your own research and make your own decisions based on your own needs.[/color]) I think OpenDNS or similar web content filtering services would be easier to do and have greater options.

A second solution not requiring additional hardware is to filter at the computer. This is similar to the filtering done at the router only tailored to each computer. The problem in doing this on a clerk computer is that you have to go to great lengths to lock down the computer to prevent users from making changes. This is because the everyday logon profile has administrator privileges. You could also use OpenDNS with each computer having it's own configuration setup. In terms of additional cost there is none for the filtering at the computer. However there is a great deal more work and above average computer expertise required for this solution.
JD Lessley
Have you tried finding your answer on the LDS.org Help Center page or the LDSTech wiki?

User avatar
aebrown
Community Administrator
Posts: 14693
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Mon Oct 05, 2009 12:47 pm

Alan_Brown wrote:...the policy seems pretty clear that only one firewall is authorized per building.


Just to give a reference on this, the Introduction to Meetinghouse Internet on clerk.lds.org says:

Please order one device for each broadband Internet connection.

NOTE: If a Church-managed firewall is currently used in a Church facility, the broadband connection should be shared among all units that are requesting broadband Internet access and are approved by the stake president.
So it seems clear that with only one connection per building and only one firewall per connection, there can be just one Church-managed firewall per building.

User avatar
Mikerowaved
Community Moderators
Posts: 3132
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Postby Mikerowaved » Mon Oct 05, 2009 2:30 pm

Alan_Brown wrote: So it seems clear that with only one connection per building and only one firewall per connection, there can be just one Church-managed firewall per building.

This is exactly the response I got from CHQ when I asked for a 2nd device for our stake center a while back. They are quite expensive, so they have a strict one-per-building rule.
So we can better help you, please edit your Profile to include your general location.

User avatar
Enigma1-p40
Church Employee
Church Employee
Posts: 41
Joined: Fri Jan 09, 2009 9:59 am
Location: Provo, Utah

Postby Enigma1-p40 » Wed Oct 14, 2009 10:28 am

This is correct. The Cisco ASA is roughly $500 a pop. Buildings are only allowed one Cisco firewall. It is also against policy to connect anything between the ISP modem and the Cisco firewall.
any decisions as to what you will do with filtering need to be authorized by your Stake President.

Oklahoma-p40
New Member
Posts: 2
Joined: Mon Oct 05, 2009 10:38 am
Location: Oklahoma City, Oklahoma, USA

Thanks

Postby Oklahoma-p40 » Mon Nov 02, 2009 1:31 pm

Thanks for all the input. With this information, I think using the general meeting house internet will work fine for our clerks.


Return to “Meetinghouse Internet”

Who is online

Users browsing this forum: Bing [Bot] and 1 guest