Managing the Firewall

[jjensenba-p40]

Does the firewall have a guie interface?

Does this firewall use a black list? A white list? Or the firewall has the option to do both?

Can ithe firewall be localy managed to add or remove sites upon the requests of the stake president?

[ccmichaelson-p40]

The firewall (web filter)l is managed by Church HQ. There are two modes - restricted (only lets you get to church owned websites) and one that's less restricted (blocks porn and such).

I've posted similar questions and I was told that wards, stakes, or even Church HQ does not have the ability to add/remove URL's/websites to a white or black list. It's been quite painful for me and it's the reason I'm switching from LDS restricted to less restricted.

[techgy]

The firewall (web filter)l is managed by Church HQ. There are two modes - restricted (only lets you get to church owned websites) and one that's less restricted (blocks porn and such).

I've posted similar questions and I was told that wards, stakes, or even Church HQ does not have the ability to add/remove URL's/websites to a white or black list. It's been quite painful for me and it's the reason I'm switching from LDS restricted to less restricted.

The Global Service Desk controls to some degree the filtering that's used for each level of the firewall. The restricted level operates primarily by a set of URL's that are what you may call as a white list. Only those sites are accepted, which are primarily those in the lds.org domain.

The Extended Access level operates on a category basis. Web sites are given a category depending upon what they have in regards to content. Categories that are not accepted are obviously blocked.

The decision as to which filtering level to employ is up to the stake president as he's ultimately responsible for the meetinghouse internet in the stake/wards.

If you choose to switch to the Extended Access then the stake president must approve it. The call to the GSD (global service desk) is then made by the Stake Technology Specialist who will then request a rescripting of the firewall.

[jdlessley]

Does the firewall have a guie interface?

Yes. The Church uses two adaptive security devices (essentially a firewall and router and referred to in Church documents as the Church managed firewall) - the Cisco 501 PIX and the Cisco 5505. Cisco no longer produces the 501 and it is found in older installations such as family history centers established before 2008. Any new installations will utilize the 5505. The 5505 can be configured using the command-line interface. It can also be configured and monitored by using ASDM (Adaptive Security Device Manager), a web-based GUI (Graphical User Interface) application. When the 5505 is deployed and installed in accordance with Church instructions and activated you will no longer have access to either of the interfaces as they are password protected. During the activation process the 5505 will be appropriately scripted for your needs. Any changes must be accomplished by contacting the GSD (Global Service Desk).

Does this firewall use a black list? A white list? Or the firewall has the option to do both?

The 5505 has the capability to restrict access to categories of sites, specific domains, or specific URLs (black list) as well as to limit access only to specific domains or URLs (white list) as Techgy and ccmichaelson explained. See the Introduction to Meetinghouse Internet on the Clerk and Technology Support web site for a description. The web security gateway software (or in this case firmware) used to accomplish the filtering is Websense.

Can ithe firewall be localy managed to add or remove sites upon the requests of the stake president?

The Church manages the security and filtering. The stake president determines which of the two levels of filtering, LDS Extended Access or LDS Restricted Access, will be used at each location with a Church managed firewall and the STS works with the GSD to implement it. There are other threads in the forums discussing various aspects of the filtering and requesting changes.

[ldsrussp]

Church is also offering a third tier that is even less restrictive. Basically it seems to be equivalent to the filtering that the Family History centers receive. We will choose that for most buildings simply because we want to make sure no BYU content is blocked.

[danpass]

Church is also offering a third tier that is even less restrictive. Basically it seems to be equivalent to the filtering that the Family History centers receive. We will choose that for most buildings simply because we want to make sure no BYU content is blocked.

In our stake we have 2 PIX 501 devices configured with the usual FHC level of filtering. Our other two buildings have the newer ASA 5505 devices, which were initially configured with extended access filtering. The extended filtering seemed to allow access to all the sites we needed. When we started training our stake membership for the switch to nFS a few months ago in FH Sunday School classes and FH firesides, we encountered very inconsistant behavior with regard to being able to access new FS and labs FS. As I worked with the GSD to resolve these problems, we were eventually offered the option of switching to general access filtering (with Stake President approval). I was told by the GSD agent that general access on the 5505 was the same as the filtering used at FHCs. Switching to general access has resolved the issues that we were having and now all the buildings in our stake have the same level of filtering.

[Mikerowaved]

We appreciate those who have posted about the availability of a "General Access" level for the ASA. Unfortunately, the availability of this new access level seems to be based solely on who you are speaking with at GSD. I hope this is something that is soon corrected.

[shane_p-p40]

Who controls the "categories" and how does a Web site receive a "Category?" If a site is blocked as "unknown" what is the process required to resolve that?

[aebrown]

Who controls the "categories" and how does a Web site receive a "Category?" If a site is blocked as "unknown" what is the process required to resolve that?

A third party called Websense controls the categorization. To request that an uncategorized site be categorized or to request a change in category, send an email to: suggest@websense.com.

You can see a list of the current categories at http://www.websense.com/content/URLCategories.aspx.

The stake president determines the filtering level for a given firewall, and then the Global Service Desk sets that level. Exactly what categories and sites and other criteria are part of a filtering level is not documented precisely, but the levels are documented in Introduction to Meetinghouse Internet on clerk.lds.org. In addition to the two levels mentioned there, a third level called General Access is also possible, which matches the filtering used in most Family History Centers.

[shane_p-p40]

Thanks Alan,

I jumped the gun with my question.. this thread was the first link that game up under Google while searching for my question.. And, after following a few links around, found the answer..

Thanks for not slapping me with a link to the search function..