Wireless distribution behind Church Managed Firewall

[rsamis-p40]

We have three FHCs in our stake buildings that all include wireless access that was installed by a contractor hired by the FM Group. When those networks were installed a few years ago, computers connecting by WiFi had to be running the Aegis wireless client. Since then, the Church has adopted the Odyssey client, although Aegis still works. I had the impression that Odyssey is the standard for WLANs in church buildings, but from the sound of this discussion, maybe not. Does anyone know where Odyssey fits into the picture?

[SheffieldTR]

As a stake you (the STS) just needs to call Global Service Desk and ask for them to push out the LDS ACCESS profile to those wireless access points. This will allow non-church owned computers to access the wireless network, after obtaining the WPA key.

As far as Odyssey goes, we are moving away from the requirement of having this program on the computer to access the network or Internet. Additionally, for example, an FM office that has wireless in a stake center does not have to use Odyssey once the stake has called and asked for the LDS Access profile to be pushed out to that location.


Open wireless is approved, if an industry standard security such as WPA or WPA2 is employed.

[russellhltn]

As a stake you (the STS) just needs to call Global Service Desk and ask for them to push out the LDS ACCESS profile to those wireless access points.

How does that work? Filtered at the firewall by the MAC address?

Otherwise I think we'd have to select a AP from an approved list to get that function.

[aebrown]

As a stake you (the STS) just needs to call Global Service Desk and ask for them to push out the LDS ACCESS profile to those wireless access points. This will allow non-church owned computers to access the wireless network, after obtaining the WPA key.

As far as Odyssey goes, we are moving away from the requirement of having this program on the computer to access the network or Internet. Additionally, for example, an FM office that has wireless in a stake center does not have to use Odyssey once the stake has called and asked for the LDS Access profile to be pushed out to that location.


Open wireless is approved, if an industry standard security such as WPA or WPA2 is employed.

Could you please clarify this?

We have a wireless network associated with our FHC in our stake center. This network was installed by a contractor hired by our FM group over a year ago, but we only recently connected clerk computers to it. At this point, we are required to have the Odyssey client, and can only connect church-owned computers.

If I understand you correctly, we can now ask the GSD to push the LDS ACCESS profile to our wireless network, and then we would have the ability to connect non-Church owned computers to that network. If this is true, where does the WPA key come from? Is that something that GSD provides for us after they push the LDS ACCESS profile?

I assume the stake president would set the policy as to who has access to the WPA key. It could certainly be useful for a bishopric or stake presidency member, a clerk, or an executive secretary. But the more people know the key, the more likely that it will be shared more broadly that is desired. Can the key be changed by the STS (or the GSD) so that the stake president can periodically make sure the key is known only by the right set of people?

Finally, are these questions answered in some policy document? If so, where? If not, it seems that it would be helpful for them to be written down somewhere official.

[russellhltn]

Could you please clarify this?

You have a system installed under the old policy. There's now a new policy where stakes have far more control. tsheffield was talking about the new system.

But your question of how to apply the new policy to old systems is valid.

As for something official, you can start here

[aebrown]

You have a system installed under the old policy. There's now a new policy where stakes have far more control. tsheffield was talking about the new system.

But your question of how to apply the new policy to old systems is valid.

As for something official, you can start here

I'm well aware of the new option, which is what you linked to, but that really doesn't apply to my situation. That document says "The Church-managed firewall device is required for all broadband Internet connections in Church facilities." That sounds like a broad statement that would apply to ALL broadband Internet connections, but the rest of the document seems to refer only to the new program (it mentions "selected stakes" and the 29 Feb 2008 letter). So I am left wondering if tsheffield's statement: "Open wireless is approved, if an industry standard security such as WPA or WPA2 is employed" applies to a wireless network installed under the old policy.

It seemed to me that tsheffield's statement included older systems, since he specifically referred to wireless networks currently using the Odyssey client. I guess I'll wait for his reply.

[SheffieldTR]

When I referred to the asking GSD to push out the new LDS Access profile I was talking about locations that have the church installed wireless Cisco AP’s. Sorry for not making that more clear. The WPA key will be given to the STS when this profile is pushed out (you might need to ask for it…) If it needs to be changed, for the time being, that will require another call to GSD. We hope to change this in the future.

Selected locations (that have received the authorizing notice from the Presiding Bishopric) are now authorized to install their own wireless if they choose to employ that technology. As mentioned it should utilize the WPA or WPA2 security and the key should be given out as the stake president determines appropriate. The stake can decide what hardware to use as long as they are WPA or WPA2 enabled. (No LDS Access profile can or will be pushed out to these devices.)

For further clarification, the Church-managed firewall is a broad reaching device and must should be used on ALL Broadband connections in meetinghouses. The Meetinghouse Internet program will be rolled out over the next number of months as the Presiding Bishopric dictate. Until your stake president receives this notice from the Presiding Bishopric they are not authorized to get broadband connections, as the rule. We are trying to move this forward as fast as possible because we know how much this will help everyone in their assigned duties. But there are also some constraints that need to be used so that everything can go smoothly.

Did that answer the questions that came up over the weekend?
Troy

[wadeburt]

We moved the Linksys WAPs out in front of the PIX and still whitelist them. Put the Clerk office printer on a USB connect to the MLS computer and gave the printer an IP on the network in front of the PIX so users may print to it. Everything on the Church network behind the firewall meets the security requirement, everything in front of the PIX is whitelisted.

In other buildings, we are just going hardwired. No access if they are not physically plugged in.

[SheffieldTR]

I have two concerns:

1)Putting the wireless routers in front of the firewall eliminates all of the filtering that we have done. If the policy was not clear before let me do so now, ALL internet traffic from a meetinghouse is to go through the Church-managed firewall.
2)My understanding is that Tennessee is not a part of the approved areas for this program right now. Why do you have Linksys hardware at all? Please explain…

[aebrown]

Did that answer the questions that came up over the weekend?

Yes, it did (at least for me ). I do appreciate the clarification, as your most recent message makes it clear that you are talking about the precise situation for my stake. We have an existing Cisco PIX as part of our FHC in our Stake Center, and Cisco WAPs that were installed under the direction of our FM group.

Thanks for taking the time to explain. I'll speak with my stake president to see if he wants to move forward with this.