LDSAccess Security Provisions

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
User avatar
carljokl
Member
Posts: 151
Joined: Fri Jun 20, 2008 11:09 am
Location: London, UK
Contact:

LDSAccess Security Provisions

Postby carljokl » Tue Feb 15, 2011 5:51 am

I was recently involved in having our local chapel family history centre wireless over to LDSAccess.

The ward family history consultant will want me to give her an overview on what security mechanisms are provided by LDS Access.

I am sorry if I am repeating what may have been covered on another thread (I have had a look at some of the existing threads but have not found exactly what I want to know).

The things I would like to know about in terms of security:

Does LDS Access have site filtering to protect against access to any inappropriate websites?

Related to this, if a user did attempt to access something which they should not does LDSAccess or any other related system keep a record of host names / mac addresses of the computer which accessed / tried to access the content?

Are there any other helpful mechanisms in place which we should be aware of?

The provision of Internet Access is a tricky thing to balance. I think the Ward Family History Centre is under used but that could well change given that some of our poorer members without internet access have been using the local library to access the internet for genealogy. The council has just announced they are going to close the library due to lack of money to keep it open. If it closes then these individuals will need to use the ward family history centre (which is what is is there for anyway but the library is open all day vs the local chapel needing someone with a key to open it and lock up).

Having LDSAccess will make things easier for the ward family history consultant when running training as a class can be run anywhere with wireless coverage and members with laptops can bring their own etc. The family history centre itself and MLS are connected via a wired connection. If there are big abuses of LDSAccess I know I at least have the option of disconnecting the wireless connection as the FHC and MLS don't use it.

It might also be beneficial to have access to the Internet for lessons where LDS online materials are used but whether that is done is the Bishop's decision and not mine. Is there a standard church policy regarding use of internet as part of classes or is that left to the local leaders to decide?
There are no problems, only solutions.

techgy
Community Moderators
Posts: 3174
Joined: Sun Jan 13, 2008 6:48 pm
Location: California

Postby techgy » Tue Feb 15, 2011 8:03 am

carljokl wrote:I was recently involved in having our local chapel family history centre wireless over to LDSAccess.

The ward family history consultant will want me to give her an overview on what security mechanisms are provided by LDS Access. The things I would like to know about in terms of security:

Does LDS Access have site filtering to protect against access to any inappropriate websites?

Related to this, if a user did attempt to access something which they should not does LDSAccess or any other related system keep a record of host names / mac addresses of the computer which accessed / tried to access the content?


LDS Access is a filtering configuration that basically only permits access to LDS sites. It's not too useful for Family History work as it's too limited. If all you're interested in is accessing the Church genealogy sites, then it might work. But, there are many other useful genealogy sites that LDS Access will not permit use of - Ancestry.com, Cindy's List and others just to mention a couple. I would recommend that you move to General Access for the family history center. This level of access provides a more open environment, while still maintaining some of the filtering necessary to keep your access under some control.

As to a log, I understand that the firewalls do keep a log, but I'm not sure how detailed it is. You wouldn't have access to the log in any event as access to the firewall is secured once it's configured.
Have you read the Code of Conduct?

User avatar
aebrown
Community Administrator
Posts: 14688
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Tue Feb 15, 2011 8:44 am

carljokl wrote:Does LDS Access have site filtering to protect against access to any inappropriate websites?


First of all, it's important to distinguish between the wireless security and the filtering provided by the firewall.

  • LDSAccess is simply WPA2 wireless security access into the local network. As such, it has nothing to do with filtering.
  • The Church-managed firewall (a Cisco PIX 501 for older FHCs, a Cisco ASA 5505 for newer FHCs, and the Cisco 881W for brand-new installations) provides Internet filtering at one of three levels (just one level for the 881W). This filtering is in place regardless of whether you access the network via wireless or a wired connection.
Questions that can benefit the larger community should be asked in a public forum, not a private message.

User avatar
carljokl
Member
Posts: 151
Joined: Fri Jun 20, 2008 11:09 am
Location: London, UK
Contact:

Postby carljokl » Tue Feb 15, 2011 9:30 am

The family history centre has been running traffic through the Cisco VPN unit (was a Pix 501 but that was replaced by a ASA 5505 when the Pix unit failed).

That being the case, whatever limiting or filtering being provided by the Cisco unit should not have changed.

The original system required the use of Odyssey client software to connect via the wireless. I have seen installations where Odyssey is also required regardless of whether the connection is wired or wireless. For whatever reason the wired network did not require the Odyssey client software in order to work.

The internet connection definitely goes via the Cisco unit first so it is not the case that the Cisco box is bypassed and the internet connection is coming direct from the router. The allocated IP Address are within the range which the Cisco box allocates and not the range the Router allocates. Still I am not sure that the connection was supposed to work without Odyssey but as this didn't present a problem at the time and internet access was confined to one room then I left it as it was.

I have used LDSAccess at two other locations, both of which have Institute outreach centres (which might account for the difference). Neither of these seemed to restrict to only Church sites. I know Facebook was/is accessible for example.

I don't know if there are different modes of LDSAccess filtering with some being more restrictive than others. I know that Outreach centres generally want to offer university students the ability to do university work at the outreach centre / institute building and in that case restricting to only Church sites would not work.

Is there a way to tell if the filtering is functioning correctly (besides trying to access inappropriate sites which obviously I don't want to do)?
There are no problems, only solutions.

User avatar
aebrown
Community Administrator
Posts: 14688
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Postby aebrown » Tue Feb 15, 2011 9:42 am

carljokl wrote:The family history centre has been running traffic through the Cisco VPN unit (was a Pix 501 but that was replaced by a ASA 5505 when the Pix unit failed).

That being the case, whatever limiting or filtering being provided by the Cisco unit should not have changed.


When the firewall was replaced, the filtering level may well have changed. Theoretically it would stay the same, but that's only if the GSD technician who configured it looked up the previous filtering level and scripted the new unit the same way. It's worth checking out.

carljokl wrote:The original system required the use of Odyssey client software to connect via the wireless. I have seen installations where Odyssey is also required regardless of whether the connection is wired or wireless. For whatever reason the wired network did not require the Odyssey client software in order to work.


The Odyssey client is only used for wireless connections; it is not in any way concerned with a wired connection. I can't imagine how you could have seen any installation where the Odyssey client affected a wireless connection.

carljokl wrote:The internet connection definitely goes via the Cisco unit first so it is not the case that the Cisco box is bypassed and the internet connection is coming direct from the router.


That's good -- it's definitely a requirement that all traffic go through the firewall.

carljokl wrote:I don't know if there are different modes of LDSAccess filtering with some being more restrictive than others.


Again, please note that there is no such thing as LDSAccess filtering. Filtering is at the firewall; LDSAccess is simply a wireless connection protocol.

The filtering methods are described in the wiki under legacy meetinghouse firewalls:

  • LDS Restricted Access
  • LDS Extended Access
  • General Access
Yes, the first two have the words "LDS" and "Access" in them, but that is an unfortunate coincidence -- they have absolutely nothing to do with LDSAccess.


carljokl wrote:Is there a way to tell if the filtering is functioning correctly (besides trying to access inappropriate sites which obviously I don't want to do)?


Actually, the documentation provided by the Church Meetinghouse Technology team on the wiki at Firewall actually recommends that you do exactly that. They propose using the site gambling.com, which I have been to (when my firewall was not filtering properly) and it is not offensive.
Questions that can benefit the larger community should be asked in a public forum, not a private message.

User avatar
carljokl
Member
Posts: 151
Joined: Fri Jun 20, 2008 11:09 am
Location: London, UK
Contact:

Postby carljokl » Tue Feb 15, 2011 10:01 am

I was going to suggest if there was a non-offensive site which could be used for testing. I hope also that if I test with gambling.com as suggested the family history consultant is not going to get a call from the Church to find out who is trying to access gambling sites from Church.

Also I will will correct my use of LDSAccess terminology in future. Perhaps LDS Firewall would we a better term to encompass the different firewall policies and technologies.
There are no problems, only solutions.

User avatar
carljokl
Member
Posts: 151
Joined: Fri Jun 20, 2008 11:09 am
Location: London, UK
Contact:

Odyssey

Postby carljokl » Tue Feb 15, 2011 10:04 am

I may have misunderstood about Odyssey and wired connections. I just remember seeing Odyssey client installed even on machines connected with a wired connection and I am fairly sure the application had a tab for wired connection though this may be because the application supports securing wired connections though the Church does not use that facility.
There are no problems, only solutions.

User avatar
carljokl
Member
Posts: 151
Joined: Fri Jun 20, 2008 11:09 am
Location: London, UK
Contact:

Postby carljokl » Tue Feb 15, 2011 12:51 pm

Gambling.com is blocked so I guess that means the firewall is working.
There are no problems, only solutions.

sjager
Church Employee
Church Employee
Posts: 6
Joined: Wed Feb 02, 2011 8:22 am

Postby sjager » Wed Feb 16, 2011 11:26 am

We use a layered approach to desktop security,The Firewall helps with protecting the desktop from intrusions and helps to block or allow network traffic. We also use additional tools for filtering to help protect against inappropriate content/use, as well as security risks. Church Headquarters is also tracking internet usage.

Hope this helps.

russellhltn
Community Administrator
Posts: 20734
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Postby russellhltn » Wed Feb 16, 2011 12:36 pm

sjager wrote:The Firewall helps with protecting the desktop from intrusions and helps to block or allow network traffic. We also use additional tools for filtering to help protect against inappropriate content/use, as well as security risks.


With the stake president's permission, I don't know of anything that would preventing adding MORE filtering. The only thing mandated is that the church firewall be the only thing that connects to the DSL/Cable modem.
Have you searched the Wiki?
Try using a Google search by adding "site:tech.lds.org/wiki" to the search criteria.


Return to “Meetinghouse Internet”

Who is online

Users browsing this forum: No registered users and 2 guests