Wireless access with LDS Account

[harddrive]

I would say that for right now, you shouldn't expect this to be as secure as something like a home or corporate network using WPA encryption. This will be more like a public network with a captive portal, like a hotel or airport. In fact, I believe we are using a vendor that provides solutions for those types of organizations. Therefore, people on the network should treat this just as they would any public Wifi (running a basic firewall and making sure that sensitive information is being passed over SSL/TLS).

matthew, I have been to a few hotels and as far as I know, you can't do anything, including access to local devices without first logging in. I will have to check a few things out at a hotel in the area. I have one across the street from where I pick up the bus and I can see about IP address and other things.

I would like to help out on that project if I can. My background is network engineering.

Thanks for keeping us updated on this.

[russellhltn]

I have been to a few hotels and as far as I know, you can't do anything, including access to local devices without first logging in.

It may depend on the hotel. Can you get to their reservation site without logging in?

[harddrive]

It may depend on the hotel. Can you get to their reservation site without logging in?

Russel, I didn't even try and didn't think about it. I will have to test with my iPod this afternoon or another day, while waiting on the bus.

[busman]

Our stake tries to do the "church way" of things. After years doing this calling and listening to SL, here is what I expect the solution SL will have for universal wireless internet access will look like:
* Must use Cisco wireless firewall from FM
* The current "one size fits all" passcode will go away.
* All users must use LDS logon or Family Search logon if not a member - no exceptions.
* MLS computers will have to either not share or password protect their shares.
* Printers will best be connected directly to a PC, not open on the network. An exception may be in the FHC.
* There will be no "open" access to the internet - everything will be subject to the church filters.
* SL will continue to monitor inappropriate internet attempts and alert stake presidents of excessive attempts. These alerts will include the user's logon.

Although I was told that the solution should be ready by eoy 2011, I doubt that will happen, particularly if there is another piece of hardware to place in the path to the internet.

[aebrown]

Must use Cisco wireless firewall from FM

We've received quite clear communication to the contrary -- the solution will work even with the older firewalls that have no wireless capability. For the rest, we'll just have to wait and see.

[MatthewEhle]

* All users must use LDS logon or Family Search logon if not a member - no exceptions.

I believe that access is generally restricted to members, but there are provisions for guest access. The guest will have to be "sponsored" by a member, and I think there will need to be some kind of approval by a ward or stake leader. Guests will still need an LDS Account with a verified email address, but they will be allowed a period of grace time to create an account and verify the email address.

[russellhltn]

Must use Cisco wireless firewall from FM

Change that to "Must use Cisco firewall from FM" and we'd be in agreement. Note that's current policy now, so nothing new.

The current "one size fits all" passcode will go away.

Yes, the wireless will be open

All users must use LDS logon or Family Search logon if not a member - no exceptions.

I'm hearing that some sites will be "open". Perhaps lds.org, familysearch, etc. However, you may want to log into the site anyway.

MLS computers will have to either not share or password protect their shares.

They should be doing that now. I'd strongly advise not to share anything from a WinXP box. You end up sharing the entire C drive for those who know how to access it. I belive Win7 is much better in that respect.

Printers will best be connected directly to a PC, not open on the network. An exception may be in the FHC.

I don't see why that would be a problem. I might be a bit more concerned about MFPs that have internal hard drives. Who knows what you could find if you could hack into them. But at this point I think that's rather speculative threat.

There will be no "open" access to the internet - everything will be subject to the church filters.

That should be the way it is now.

SL will continue to monitor inappropriate internet attempts and alert stake presidents of excessive attempts. These alerts will include the user's logon.

Maybe. Certainly the use of logins gives the leaders information for effective followup action.

[harddrive]

* Must use Cisco wireless firewall from FM

If this is the case as most people have said, I have 4 buildings that I would have to get rid of either PIX or an ASA firewall. The ASA firewalls have been received in the last year.

* The current "one size fits all" passcode will go away.

That is what is being said, which can be a good thing, but also bad. It's a good thing because we can track where each user is going. Also because it may force more people to get an LDS Account. it can be a bad thing because it can allow people to surf the net while they are in Sunday meetings and not paying attention to the speaker/teacher

* MLS computers will have to either not share or password protect their shares.

If the password to even get onto the wireless to gain access to the network is done correctly then I don't see why the shares should be a problem. The shares should be password protected even now. This way no one can get access to the computer with MLS.

* Printers will best be connected directly to a PC, not open on the network. An exception may be in the FHC.

I don't see why printers can't be directly connected to the network using IP based printing. In order for anyone to print, they must have the drivers installed on their computer, know the IP address/share name to even get access to print. I currently have the stake printer connected to the network and it makes the job for the stake clerk and executive secretary much easier because they don't have to contest for a single printer.

* There will be no "open" access to the internet - everything will be subject to the church filters.

What will be different? Currently any connection behind a church firewall is filtered.

* SL will continue to monitor inappropriate internet attempts and alert stake presidents of excessive attempts. These alerts will include the user's logon.

That is terrific because it could show a habit that my need to be addressed.

Although I was told that the solution should be ready by eoy 2011, I doubt that will happen, particularly if there is another piece of hardware to place in the path to the internet.

i feel like it will be implemented when it is ready and not before. You don't put anything out until it is ready. If it is past EOY 2011 then so be it. You never put anything out until it is ready, unless there is a huge over run in money or something like that. You make it right before it goes to production.

[MatthewEhle]

I talked with project management a little earlier today, since I had been out of the loop with some of the new developments. Someone else will be creating a new post to clarify the project, but let me just summarize it here.

The LDS Tech article about the meetinghouse internet should not have been written, or at least should have been better worded. The LDS Account authentication portion of meetinghouse internet will be completed sometime in 2012, not necessarily at the very beginning. As stated in the article, it is still expected that wireless internet will be out to 85% of the meetinghouses by the end of the year, but it will be no different than what is already installed in other meetinghouses. The article was confusing to me as well, as it implied that the LDS Account portion is projected to be done at the same time. That was cleared up in my last discussion with the PM.

[russellhltn]

it can be a bad thing because it can allow people to surf the net while they are in Sunday meetings and not paying attention to the speaker/teacher

Anyone with a smartphone or a tablet with a data plan can do that now. Not to mention diversions that require no data connections such as games. If that's a problem, leadership needs to come up with a better plan then restricting access to WiFi.

If the password to even get onto the wireless to gain access to the network is done correctly then I don't see why the shares should be a problem. The shares should be password protected even now. This way no one can get access to the computer with MLS.

The problem is that on a XP machine, anytime you share, you create a hidden share of the hard drive. Anyone with an IT background knows how to use it - if they have a admin-level password to the machine. And we ALL know a admin-level password into admin computers. That is why I advocate NO sharing by XP machines. Win7 may be a bit more secure, but I'd still be careful about sharing anything on the hard drive.

I don't see why printers can't be directly connected to the network using IP based printing. In order for anyone to print, they must have the drivers installed on their computer, know the IP address/share name to even get access to print.

More to the point, what can a bad guy do with a printer? I can think of some things that would be infuriating, but I'm not so sure about "harmful".