New Internet Filter

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
paulscherbel
Church Employee
Church Employee
Posts: 29
Joined: Tue Dec 14, 2010 8:40 am
Location: U.S.

Re: New Internet Filter

Postby paulscherbel » Wed Mar 05, 2014 2:59 pm

lajackson wrote:My notice came via email, although I have no idea if that is because I am the STS or because I am subscribed to Tech messages at my LDS Account. For some reason I usually don't get messages sent to the STS (although I am shown as one), so I suspect the latter.


An explanation of how this works is available here. If it does not appear to be working as designed, please email mht@ldschurch.org.

paulscherbel
Church Employee
Church Employee
Posts: 29
Joined: Tue Dec 14, 2010 8:40 am
Location: U.S.

Re: New Internet Filter

Postby paulscherbel » Wed Mar 05, 2014 3:14 pm

WillClaridge wrote:I did receive the "Meeting House Internet Change" email discussed in this thread, but what is not outlined in the email, and what I didn't realize until speaking with GSC, is that zPath is a DNS based filtering solution. DNS based filtering is easy to subvert unless additional steps are taken to only allow specific DNS server IP Addresses. This next step will be taken with zPath on March 9th, 2014. At that time only these two DNS servers will be permitted - 8.34.34.92, and 8.35.35.92. None of this was outlined in the email but is critical information to anyone who has configured their computers with static IP Addresses; which also means you had to specify your DNS servers.


It is true that the plan is to eventually only allow Church-specified static DNS entries on devices connected to Meetinghouse Internet and that devices connected to Meetinghouses Internet that have been set to use non-Church specified DNS servers will need to be changed to point to approved Church meetinghouse DNS servers or to obtain IP addressing information (including DNS) automatically. If devices do not have this set correctly, they may not function properly in the future.

Though we have been piloting this change in a limited number of meetinghouses, this change will likely not be pushed out worldwide for over a month, and only after additional testing and communications.

User avatar
Mikerowaved
Community Moderators
Posts: 3819
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

Re: New Internet Filter

Postby Mikerowaved » Wed Mar 05, 2014 4:25 pm

russellhltn wrote:As for the problems with DHCP, you need to be aware of them, and they can be fixed with a phone call.

When was the last time you called? Last time I tried (about 6 months ago), it was like pulling teeth to get the GSC person to agree to allocate additional IP addresses.
So we can better help you, please edit your Profile to include your general location.

russellhltn
Community Administrator
Posts: 28204
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: New Internet Filter

Postby russellhltn » Wed Mar 05, 2014 4:55 pm

Mikerowaved wrote:When was the last time you called? Last time I tried (about 6 months ago), it was like pulling teeth to get the GSC person to agree to allocate additional IP addresses.


Less then two months ago

I was told that if your maximum used was 85% or more, then they'd add more IPs.

Now, way back when, they seem to have smaller IP pools and were probably having problems because that tends to chew up 3 IPs for every subdomain. Since then, I think they've adjusted to larger pools - at least for a baseline.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.

JamesAnderson
Senior Member
Posts: 766
Joined: Tue Jan 23, 2007 2:03 pm

Re: New Internet Filter

Postby JamesAnderson » Thu Mar 06, 2014 8:07 pm

Looked up zPath on Google via k9safesearch.com (filtered search engine that works better than Safe Search modes on Google) and found no such thing as the 'zPath web filtering'. zPath is actually a library based on xPath, which is from what I could tell, an XML library.

If it is a very new company, we're vulnerable, because it takes many years for a filter to capture the vast majority of domains on the web these days and get those all properly categorized in a way that minimizes false-positives. I use K9 at home, and the database that K9 uses was started in about 2000.

JamesAnderson
Senior Member
Posts: 766
Joined: Tue Jan 23, 2007 2:03 pm

Re: New Internet Filter

Postby JamesAnderson » Thu Mar 06, 2014 10:40 pm

I did a search for 'zShift' on Google (using k9safesearch.com) and came up with only one result for the Zscaler product, the rest were related to gaming and gamers and a BMW car using that name. This link tells more about zShift as we are discussing:

http://www.esecurityplanet.com/network- ... rises.html

It's a step in the right direction, especially on the DNS side of things that has been mentioned, and one really good thing it can do is that it can enforce Google Safe Search, but I found that K9 Safe Search actually performs better, as I have found links that look fishy do get through Google Safe Search but don't through K9 Safe Search.

User avatar
aebrown
Community Administrator
Posts: 15119
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Re: New Internet Filter

Postby aebrown » Fri Mar 07, 2014 11:04 am

JamesAnderson wrote:Looked up zPath on Google via k9safesearch.com (filtered search engine that works better than Safe Search modes on Google) and found no such thing as the 'zPath web filtering'.

According to this post (earlier in this topic), zPath isn't the correct name anyway. It is from the company zScaler.

JamesAnderson wrote:If it is a very new company, we're vulnerable, because it takes many years for a filter to capture the vast majority of domains on the web these days and get those all properly categorized in a way that minimizes false-positives. I use K9 at home, and the database that K9 uses was started in about 2000.

zScaler is hardly a rookie in this space; it was founded in 2008 and has a mature platform that is heavily used and is highly regarded (see this Gartner report).

JamesAnderson
Senior Member
Posts: 766
Joined: Tue Jan 23, 2007 2:03 pm

Re: New Internet Filter

Postby JamesAnderson » Fri Mar 07, 2014 11:24 am

Thanks, both things are correct, Zscaler is no rookie, they've had their growing pains like anyone else though. But I find it odd that I can't find zPath used as a product name in search engine results though.

Since the Church migrated to Zscaler, there has actually been an improvement in performance when browsing behind the firewall, as the old solution we had, Websense, for whatever reason, seemed to slow down things slightly. Not in loading the sites visited, but in fetching the site in the first place.

The Gartner report is correct, it is highly regarded, I do see some news on them more regularly than I do some other security solutions, and it has made things much easier to use than most of the rest out there. Not everyone's perfect in network security, but they are doing things the right way and will succeed and be one of the top five players in network security and endpoint security in the end. And that's good for us over the time we'll be using it.

User avatar
aebrown
Community Administrator
Posts: 15119
Joined: Tue Nov 27, 2007 8:48 pm
Location: Sandy, Utah

Re: New Internet Filter

Postby aebrown » Fri Mar 07, 2014 11:31 am

JamesAnderson wrote:But I find it odd that I can't find zPath used as a product name in search engine results though.

Those search engine results are not odd at all; zPath is not the name of a product from zScaler (the term "zPath" does not occur even one time on the zScaler.com website). What is odd is that anyone from ICS chose to use that incorrect name at all.

russellhltn
Community Administrator
Posts: 28204
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

Re: New Internet Filter

Postby russellhltn » Sun Mar 09, 2014 2:03 am

russellhltn wrote:Nothing about what changes that need to happen for machines running static IPs.

Be careful what you ask for. I got that email today. While it had the necessary information, it made it sound like every device that uses the network had to be checked, which could imply all the member's tablets, laptops and smart phones.
Have you searched the Help Center? Try doing a Google search and adding "site:churchofjesuschrist.org/help" to the search criteria.

So we can better help you, please edit your Profile to include your general location.


Return to “Meetinghouse Internet”

Who is online

Users browsing this forum: No registered users and 2 guests