Page 2 of 2

Re: VLAN Configuration

Posted: Tue Sep 24, 2019 9:40 pm
by AnthonyBowers
The admin computers are not exposed to the internet. To everyone on the WiFi in the same meetinghouse, yes. But that's not quite the same.
What about open and active network ports in the newer buildings? Or someone planting a device? A cellular device has access to the Internet. There are multiple vectors to attack from. I am not even close to listing all of the possible attacks public buildings present. Even my original question does not account for all possible attacks, just simple ones anyone who knows how to use Google can do.

Re: VLAN Configuration

Posted: Wed Sep 25, 2019 5:23 am
by harddrive
I hear your concerns and wonder why so much concerns on security of what is basically a home network. Even if you put a VLAN on the router it stills knows about all the VLANs on it. It knows how to route between them. The one thing it wouldn't allow is a broadcast to the other VLANS. Even manage switches would do the same.

One thought that just crossed my mind is to have the wireless access based on user accounts, so that only a member of the church can gain access to the WIFI. This would cut down on people outside of the church to get onto the network.

Now I'm going to change from security to bandwidth through the firewall. A few weeks ago, I tested the connection speed and I was only getting a 4 megabits/second download when I know that the Internet connection was 30 megabits per second. I checked it directly against the modem and I get 30 megs down.

I called the GSC and was told that there is a policy in place that states that there is VLAN rate limit applied. I'm like really? If that is true, then it is a lousy policy because each VLAN doesn't need to have a rate limit. We should be able to use the full bandwidth that we are paying for.

I would like to understand why this policy is in place and how can I (we) be able to get it changed so that we can use the bandwidth. Dont tell me that it could saturate the link to the service provider, because it could, but with rate limit, it is already being done. Could rate limit help the FHC, sure it could, but they are open generally during the week and not when the general church members are there.

Re: VLAN Configuration

Posted: Wed Sep 25, 2019 5:39 am
by drepouille
AnthonyBowers wrote:What about open and active network ports in the newer buildings?
The only open RJ-45 in my meetinghouse is on the podium, but I agree that many meetinghouses have open RJ-45 jacks in the library and in other public areas. In the absence of a managed switch, we could simply unplug all unused connections from the unmanaged switch. Granted, that would not prevent someone from unplugging, say, the library copier, and using that port for their own devices.

Re: VLAN Configuration

Posted: Wed Sep 25, 2019 6:32 am
by Biggles
harddrive wrote: One thought that just crossed my mind is to have the wireless access based on user accounts, so that only a member of the church can gain access to the WIFI. This would cut down on people outside of the church to get onto the network.
A few years back, this was a proposal looked at. At the time I believe it was discarded because it was rather complicated to set up. Things of course have changed since then and I suppose it might be revisited. However, I wouldn't hold my breath.

Re: VLAN Configuration

Posted: Wed Sep 25, 2019 11:17 am
by russellhltn
Biggles wrote:
harddrive wrote: One thought that just crossed my mind is to have the wireless access based on user accounts, so that only a member of the church can gain access to the WIFI. This would cut down on people outside of the church to get onto the network.
A few years back, this was a proposal looked at. At the time I believe it was discarded because it was rather complicated to set up.
As I recall, it would have required installing a certificate on each user's device. An impractical workload for the local STS.

Re: VLAN Configuration

Posted: Wed Sep 25, 2019 11:27 am
by russellhltn
AnthonyBowers wrote:What about open and active network ports in the newer buildings? Or someone planting a device? A cellular device has access to the Internet.
Why would someone go to that level of effort? What are they hoping to gain? For someone who does't know the church, that's a lot of effort for an unknown payoff.

If they are targeting something of the church, it seems like a phishing email to a bishop or clerk to hijack their Church Account credentials would be far more rewarding. Such an attack could be launched by anyone from anywhere in the world, unlike an attack that would require them to be at least within WiFi range.

Re: VLAN Configuration

Posted: Wed Sep 25, 2019 12:26 pm
by AnthonyBowers
harddrive wrote:I hear your concerns and wonder why so much concerns on security of what is basically a home network. Even if you put a VLAN on the router it stills knows about all the VLANs on it. It knows how to route between them. The one thing it wouldn't allow is a broadcast to the other VLANS. Even manage switches would do the same.
Well the first mistake is considering a church building a home network. It is a small business network. It should be equivalent to the network of a chain restaurant. The point of a VLAN is to separate broadcast domains. Broadcast domains are all the possible IP addresses that can be assigned on a subnet (192.168.0.0/24= 192.168.0.0-192.168.0.255; 192.168.0.0/18= 192.168.0.0-192.168.63.255). It would be like yelling in your home to see who is there. VLANs large networks into smaller networks while using the same network equipment causing all inter-network traffic to go to the router/firewall where access rules are set.
harddrive wrote:One thought that just crossed my mind is to have the wireless access based on user accounts, so that only a member of the church can gain access to the WIFI. This would cut down on people outside of the church to get onto the network.
Easier option is to add a guest or second network with a password (client isolation for public use) and on a separate VLAN and set a really long password for the main wireless network that ward and stake leaders have.
harddrive wrote:I called the GSC and was told that there is a policy in place that states that there is VLAN rate limit applied.
They probably have it in place for QoS reasons (bad implementation).
russellhltn wrote:
AnthonyBowers wrote:What about open and active network ports in the newer buildings? Or someone planting a device? A cellular device has access to the Internet.
Why would someone go to that level of effort? What are they hoping to gain? For someone who does't know the church, that's a lot of effort for an unknown payoff.
Why would someone sniff wireless traffic in a cafe or restaurant? Credit card information, general browsing data, emails, passwords, etc. It is all potentially valuable information.

Re: VLAN Configuration

Posted: Wed Sep 25, 2019 3:28 pm
by harddrive
I know what a VLAN is and what it's function is. I misspoke that a church network is like a home network, however the VPN that is on the firewall is only for management and no other traffic, except for a FHC or the facility network goes across it. Everything goes directly to the Internet.

In my book by adding extra VLANs is actually complicating things. You would need a separate switch for each VLAN just like I had to do for my FHC that run through the same firewall. You would have to know which switch goes to switch subnet and then if someone comes in to troubleshoot the issue and dont know the set up then they could do something to bring down the entire network. Also unless you want to be in the calling of Stake Technology specialist for the rest of your life, then the next person will need to know the setup. Also the church has dumb down the system that I feel like I'm a tier 1 dummy instead of a tier 4 engineer professionally. So basically reboot and it comes up great, if not call GSC to see what is going on.

Also the only reason that I can see for VLAN rate limit is so that each VLAN gets equal share. In my large organization that I work for, there is no VLAN rate limit. So if it isn't done in a large organization then why do it in a small environment.

The principal of KISS is what is needed. It makes life so much better.

Re: VLAN Configuration

Posted: Wed Sep 25, 2019 5:49 pm
by AnthonyBowers
harddrive wrote:I know what a VLAN is and what it's function is.
harddrive wrote:In my book by adding extra VLANs is actually complicating things. You would need a separate switch for each VLAN just like I had to do for my FHC that run through the same firewall. You would have to know which switch goes to switch subnet and then if someone comes in to troubleshoot the issue and dont know the set up then they could do something to bring down the entire network.
Router on a stick was the topology I was thinking. 1 router, (at least) 1 switch, and (at least) 1 wireless access point. The router controls all of the subnets. The beauty of VLAN trunking from the router to the switch is that it is 1 cable capable of supplying 1000+ subnets. You then use the switch to control which port gets which VLAN (ex: 100 = public {192.168.100.1/20}, 200 = clerk ward 1 {192.168.200.0/24}, 205 = clerk ward 2 {192.168.205.0/24}) and then you can use unmanaged switches past that switch in each clerk office if you need more ports or have another need. This model is very simple. If you have the router in a clerk's office, you can utilize one or all of the remaining router ports. How many devices are in your clerk offices? The point of this model is to have most if not all traffic run through the firewall.
I can make it even simpler, 1 VLAN for public traffic, 1 VLAN for church devices and management.
harddrive wrote:Also the church has dumb down the system that I feel like I'm a tier 1 dummy instead of a tier 4 engineer professionally.
What is the difference between the church configuring 2+ network devices vs 3+? You only add 1 additional page of instruction of what plugs into which port (BTW: same documentation as router for its different ports). The church can set it up however they want, they are controlling all of the devices anyway.
harddrive wrote:The principal of KISS is what is needed. It makes life so much better.
And that is why there are zero locks on people's homes.

Re: VLAN Configuration

Posted: Wed Sep 25, 2019 6:40 pm
by russellhltn
AnthonyBowers wrote:Why would someone sniff wireless traffic in a cafe or restaurant? Credit card information, general browsing data, emails, passwords, etc. It is all potentially valuable information.
Seems like a church would be comparatively poor place to sniff. But now you're moving away from threats to the admin computers.

But it seems the underlying issue is cost. As best as I can find, the church has 15,174 wards in North America alone. Even if we assume that there's an average of 3 wards per building, that still over 5,000 buildings. It quickly adds up to a pretty penny.