Is it possible to have both access levels in one building? We already have LDS Extended Access for the Family History Center and would like to add LDS Restricted Access for the clerks.
We are currently running the Cisco PIX. I was told that the PIX is older and only is capable of Extended access. The Cisco ASA is newer, but is only capable of running one or the other.
Has anyone found a way to run both levels? Has anyone added a second firewall on the Extended Access network? I though of adding a inexpensive Linksys router behind the PIX and then creating a white-list on the Linksys similar to the Restricted Access for the clerks.
Hopefully the question has already been addressed. Thanks.
Both LDS Restricted Access and LDS Extended Access in one building
-
- New Member
- Posts: 2
- Joined: Mon Oct 05, 2009 11:38 am
- Location: Oklahoma City, Oklahoma, USA
- aebrown
- Community Administrator
- Posts: 15153
- Joined: Tue Nov 27, 2007 8:48 pm
- Location: Draper, Utah
If you have a Cisco PIX in your FHC, then you almost certainly have a filtering level that is called General Access, which filters out bad sites, but is more permissive than LDS Extended Access. So I'm pretty sure it's not accurate to say that you "already have LDS Extended Access."Oklahoma wrote:Is it possible to have both access levels in one building? We already have LDS Extended Access for the Family History Center and would like to add LDS Restricted Access for the clerks.
We are currently running the Cisco PIX. I was told that the PIX is older and only is capable of Extended access. The Cisco ASA is newer, but is only capable of running one or the other.
The Cisco ASA is capable of running any one of the three available access levels: General Access, LDS Extended Access, or LDS Restricted Access. Indeed, it can only be scripted to run one filtering level, as determined by the stake president.
The firewall will limit anything located behind the firewall, so of course you can't add more permissions through a second router or firewall. But you could add more restrictions with another router or firewall.Oklahoma wrote:Has anyone found a way to run both levels? Has anyone added a second firewall on the Extended Access network? I though of adding a inexpensive Linksys router behind the PIX and then creating a white-list on the Linksys similar to the Restricted Access for the clerks.
I've never heard of anyone putting an ASA behind the PIX. I'm not sure such a configuration is authorized; the policy seems pretty clear that only one firewall is authorized per building. But if you added another router for the subnet used by the clerk PCs, then you could indeed add additional restrictions for that subnet.
-
- Community Administrator
- Posts: 34421
- Joined: Sat Jan 20, 2007 2:53 pm
- Location: U.S.
Actually, since you have a FHC, the PIX should be running something closer to "General Access".
But, to answer your question, I don't know. I think it would require two firewalls connected to one modem. I'm not sure if the church is willing to go that route. You can try and concoct your own filtering system to place between the clerks and rest of the network.
But, to answer your question, I don't know. I think it would require two firewalls connected to one modem. I'm not sure if the church is willing to go that route. You can try and concoct your own filtering system to place between the clerks and rest of the network.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.
So we can better help you, please edit your Profile to include your general location.
So we can better help you, please edit your Profile to include your general location.
-
- Community Moderators
- Posts: 9860
- Joined: Mon Mar 17, 2008 12:30 am
- Location: USA, TX
There are multiple solutions to get one filtering level for the FHC and another for the clerk computers. Alan already has mentioned one where a second router is placed between the PIX and the clerk computers to add additional filtering. This router can incorporate two methods of filtering. A white list (or blacklist, or both - depending on router manufacturer and model) hosted on the router or a web content filtering service such as OpenDNS. (Disclaimer: I am not connected in anyway with OpenDNS nor do I support it other than in suggesting it as one of several options for services similar to those offered by OpenDNS. You should do your own research and make your own decisions based on your own needs.) I think OpenDNS or similar web content filtering services would be easier to do and have greater options.
A second solution not requiring additional hardware is to filter at the computer. This is similar to the filtering done at the router only tailored to each computer. The problem in doing this on a clerk computer is that you have to go to great lengths to lock down the computer to prevent users from making changes. This is because the everyday logon profile has administrator privileges. You could also use OpenDNS with each computer having it's own configuration setup. In terms of additional cost there is none for the filtering at the computer. However there is a great deal more work and above average computer expertise required for this solution.
A second solution not requiring additional hardware is to filter at the computer. This is similar to the filtering done at the router only tailored to each computer. The problem in doing this on a clerk computer is that you have to go to great lengths to lock down the computer to prevent users from making changes. This is because the everyday logon profile has administrator privileges. You could also use OpenDNS with each computer having it's own configuration setup. In terms of additional cost there is none for the filtering at the computer. However there is a great deal more work and above average computer expertise required for this solution.
JD Lessley
Have you tried finding your answer on the ChurchofJesusChrist.org Help Center or Tech Wiki?
Have you tried finding your answer on the ChurchofJesusChrist.org Help Center or Tech Wiki?
- aebrown
- Community Administrator
- Posts: 15153
- Joined: Tue Nov 27, 2007 8:48 pm
- Location: Draper, Utah
Just to give a reference on this, the Introduction to Meetinghouse Internet on clerk.lds.org says:Alan_Brown wrote:...the policy seems pretty clear that only one firewall is authorized per building.
So it seems clear that with only one connection per building and only one firewall per connection, there can be just one Church-managed firewall per building.Please order one device for each broadband Internet connection.
NOTE: If a Church-managed firewall is currently used in a Church facility, the broadband connection should be shared among all units that are requesting broadband Internet access and are approved by the stake president.
- Mikerowaved
- Community Moderators
- Posts: 4734
- Joined: Sun Dec 23, 2007 12:56 am
- Location: Layton, UT
This is exactly the response I got from CHQ when I asked for a 2nd device for our stake center a while back. They are quite expensive, so they have a strict one-per-building rule.Alan_Brown wrote: So it seems clear that with only one connection per building and only one firewall per connection, there can be just one Church-managed firewall per building.
So we can better help you, please edit your Profile to include your general location.
- Enigma1-p40
- New Member
- Posts: 41
- Joined: Fri Jan 09, 2009 9:59 am
- Location: Provo, Utah
-
- New Member
- Posts: 2
- Joined: Mon Oct 05, 2009 11:38 am
- Location: Oklahoma City, Oklahoma, USA
Thanks
Thanks for all the input. With this information, I think using the general meeting house internet will work fine for our clerks.