wireless access policy for meeting house ?

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
The_Earl
Member
Posts: 278
Joined: Wed Mar 21, 2007 9:12 am

Postby The_Earl » Sun Jun 15, 2008 5:06 pm

lajackson wrote:Well, this is a concern. I would not want to have folks trying to access inappropriate sites just to find out that websense on the PIX is not working. Is there a better way to know when websense gets knocked out?

Or is a reboot of the PIX after a thunderstorm a better way to go?
If your power is anything like mine, we get brownouts / glitches frequently that are not related to weather at all.

I don't think a manual restart is going to happen often enough, or quickly enough after a glitch to serve the purpose you need it to.

A small home or office UPS will run the router and modem for a long time, and should help them come back up after a power outage cleanly. They are pretty cheap. I would make the investment.

The Earl

The_Earl
Member
Posts: 278
Joined: Wed Mar 21, 2007 9:12 am

Postby The_Earl » Sun Jun 15, 2008 5:13 pm

jdlessley wrote:...After working with OTSS technicians we determined that power grid interruptions in the area cause momentary power loss, a second or less, which in turn cause faulty operation of the PIX. There is a program in the PIX called websense that provides the filtering. It can be knocked offline and the default for the PIX is to allow internet access rather than blocking internet access when websense is off line....
This is unacceptable. I do not understand how a network protection device could be set to 'fail safe' with access open? I am mostly ignorant of how PIX firewalls work, but how can something that sophisticated fail so easily?

If it is this easy to get around the filter inadvertently, how much easier is it to specifically target, especially now that the information is public.

Any Cisco gurus out there have any idea how to get a PIX to fail secure?

The Earl

jdlessley
Community Moderators
Posts: 8668
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

Postby jdlessley » Sun Jun 15, 2008 9:19 pm

The Earl wrote:This is unacceptable. I do not understand how a network protection device could be set to 'fail safe' with access open? I am mostly ignorant of how PIX firewalls work, but how can something that sophisticated fail so easily?

If it is this easy to get around the filter inadvertently, how much easier is it to specifically target, especially now that the information is public.

Any Cisco gurus out there have any idea how to get a PIX to fail secure?

The Earl
There is a switch, or a line of code, in the PIX that can either deny access to the internet when websense is off line or it can permit access. As it was explained to me they tried the 'deny access' route before and ended up with too many service calls to handle. This is a decision that GSD/OTSS has made based on experience. This line of code can be set at each PIX. It appears they are trying to maintain standardization to one setting. Maybe we can convince them to permit the local leadership to decide which default to set the PIX.

Just to explain further (as it was told to me by an OTSS technician), websense can be dropped off or knocked off line when the PIX has a memory overrun (not enough memory available to run websense). How this happens I don't know. Brief power interruptions appear to be able to cause this event to happen.


Return to “Meetinghouse Internet”

Who is online

Users browsing this forum: No registered users