Tech Forum

Is it possible to have both access levels in one building? We already have LDS Extended Access for the Family History Center and would like to add LDS Restricted Access for the clerks.


We are currently running the Cisco PIX. I was told that the PIX is older and only is capable of Extended access. The Cisco ASA is newer, but is only capable of running one or the other.


Has anyone found a way to run both levels? Has anyone added a second firewall on the Extended Access network? I though of adding a inexpensive Linksys router behind the PIX and then creating a white-list on the Linksys similar to the Restricted Access for the clerks.


Hopefully the question has already been addressed. Thanks.

Oklahoma wrote:Is it possible to have both access levels in one building? We already have LDS Extended Access for the Family History Center and would like to add LDS Restricted Access for the clerks.

We are currently running the Cisco PIX. I was told that the PIX is older and only is capable of Extended access. The Cisco ASA is newer, but is only capable of running one or the other.

If you have a Cisco PIX in your FHC, then you almost certainly have a filtering level that is called General Access, which filters out bad sites, but is more permissive than LDS Extended Access. So I'm pretty sure it's not accurate to say that you "already have LDS Extended Access."

The Cisco ASA is capable of running any one of the three available access levels: General Access, LDS Extended Access, or LDS Restricted Access. Indeed, it can only be scripted to run one filtering level, as determined by the stake president.

Oklahoma wrote:Has anyone found a way to run both levels? Has anyone added a second firewall on the Extended Access network? I though of adding a inexpensive Linksys router behind the PIX and then creating a white-list on the Linksys similar to the Restricted Access for the clerks.

The firewall will limit anything located behind the firewall, so of course you can't add more permissions through a second router or firewall. But you could add more restrictions with another router or firewall.

I've never heard of anyone putting an ASA behind the PIX. I'm not sure such a configuration is authorized; the policy seems pretty clear that only one firewall is authorized per building. But if you added another router for the subnet used by the clerk PCs, then you could indeed add additional restrictions for that subnet.

Actually, since you have a FHC, the PIX should be running something closer to "General Access".

But, to answer your question, I don't know. I think it would require two firewalls connected to one modem. I'm not sure if the church is willing to go that route. You can try and concoct your own filtering system to place between the clerks and rest of the network.

There are multiple solutions to get one filtering level for the FHC and another for the clerk computers. Alan already has mentioned one where a second router is placed between the PIX and the clerk computers to add additional filtering. This router can incorporate two methods of filtering. A white list (or blacklist, or both - depending on router manufacturer and model) hosted on the router or a web content filtering service such as OpenDNS. (Disclaimer: I am not connected in anyway with OpenDNS nor do I support it other than in suggesting it as one of several options for services similar to those offered by OpenDNS. You should do your own research and make your own decisions based on your own needs.) I think OpenDNS or similar web content filtering services would be easier to do and have greater options.

A second solution not requiring additional hardware is to filter at the computer. This is similar to the filtering done at the router only tailored to each computer. The problem in doing this on a clerk computer is that you have to go to great lengths to lock down the computer to prevent users from making changes. This is because the everyday logon profile has administrator privileges. You could also use OpenDNS with each computer having it's own configuration setup. In terms of additional cost there is none for the filtering at the computer. However there is a great deal more work and above average computer expertise required for this solution.

Alan_Brown wrote:...the policy seems pretty clear that only one firewall is authorized per building.

Just to give a reference on this, the Introduction to Meetinghouse Internet on clerk.lds.org says:

Please order one device for each broadband Internet connection.

NOTE: If a Church-managed firewall is currently used in a Church facility, the broadband connection should be shared among all units that are requesting broadband Internet access and are approved by the stake president.

So it seems clear that with only one connection per building and only one firewall per connection, there can be just one Church-managed firewall per building.

Alan_Brown wrote: So it seems clear that with only one connection per building and only one firewall per connection, there can be just one Church-managed firewall per building.

This is exactly the response I got from CHQ when I asked for a 2nd device for our stake center a while back. They are quite expensive, so they have a strict one-per-building rule.

This is correct. The Cisco ASA is roughly $500 a pop. Buildings are only allowed one Cisco firewall. It is also against policy to connect anything between the ISP modem and the Cisco firewall.
any decisions as to what you will do with filtering need to be authorized by your Stake President.

Thanks for all the input. With this information, I think using the general meeting house internet will work fine for our clerks.