Wireless distribution behind Church Managed Firewall

[MarchantRR]

Something like RADIUS could take care of both. I know that Linksys wireless routers with upgradeable firmware will do RADIUS authentication, but I believe they have to talk to a separate RADIUS server since the box isn't powerful enough to run it.

I don't know if there is some SOHO / Commercial gear that will do routing, RADIUS and wireless all in the same box, but that would be real cool.

l

This is not a recommendation ... but some may be interested in the technical discussion ... The Cisco Access Points (IOS 1200 series) that we previously deployed as part of the Field Office CCN deployment has local RADIUS server functionality. This allowed for 802.1x (RADIUS) security with just a single piece of hardware (no external RADIUS server) and was one of the primary reasons why we deployed Cisco wireless hardware a few years ago. Incedently, the local radius sever on the cisco AP's only supported a few 802.1x authentication methods (Cisco LEAP, etc) ... and this is one of the reasons why we deployed a 3rd party client.

Anyway, with new WPA and WPA2 security options you can have a secure wireless network even without 802.1x (Radius) authentication. As I indicated in a previous post, if you use a really good pre-shared key (search for my previous post) ... your wireless network can still be secure without radius authentication.

[MarchantRR]

What I'd like to see is some way to lock things to LDS only but allow broader access via a login. That would give broader access to those who need it. Also I'd like to see a way to limit "LDS only" in a building that shares it's access with a FHC (which needs normal access).

Exactly ... ... having a default "LDS only" policy with the option of authenticating for broader access is ultimately where we would like to be. There are challenges with this, but I personally think we can get there at some point.

[russellhltn]

Exactly ... ... having a default "LDS only" policy with the option of authenticating for broader access is ultimately where we would like to be.

I'm glad to hear that's the direction things are going (or at least trying to).

[MarchantRR]

To be a bit argumentative, then why bother to go to the lengths they do to secure the wireless portion?

I agree with RussellHltn observations about the proximity and physical security differences between wired and wireless. It's much easier to connect to an open wireless network from the parking lot than going into the facility and finding an open wired port. Here's another difference to think about ...

The issue of eavesdroping (sniffing traffic). Although data on a wired network is unencrypted it's much more difficult to eavesdrop (particularly if a switch rather than a hub is used) than on a wireless network. If an open wireless network is used all of the data is unencrypted and it's very easy for anyone with a wireless card to eavesdrop. After all, open wireless networks broadcast there data packets over the air and just hope that the intended destiantions nodes are the only ones paying attention. So there is a significant risk that someone could eavesdrop an open wireless network and see private information such as website usernames and passwords, email's, etc. In my view, this is a significant risk with wireless network and is reason enough to never use an open wireless network.

[Mikerowaved]

I agree with RussellHltn observations about the proximity and physical security differences between wired and wireless. It's much easier to connect to an open wireless network from the parking lot than going into the facility and finding an open wired port.

OK, I will concede the point that open wireless is a larger security risk than wired access.

Here's another difference to think about ...

The issue of eavesdroping (sniffing traffic). Although data on a wired network is unencrypted it's much more difficult to eavesdrop (particularly if a switch rather than a hub is used) than on a wireless network.

For the average person, that's probably true. However, depending on the network equipment used, often simple ARP poisoning techniques can allow a hacker to inspect and/or modify packets intended for another machine giving him a distict advantage over simply evesdropping on a wireless LAN from the parking lot.

Sniffing packets is just one advantage of being allowed on a wired LAN, but this is not the right forum for discussing hacking techniques, so I will refrain from going into more detail. Suffice it to say, a wired port in an uncontrolled area is something that should be avoided, unless you have some sort of authentication challenge to machines that plug in there.

I guess I look at things, not from the aspect of how secure most of it is, but rather, how insecure part of it is.

[aebrown]

First, a facility that the church has previously installed broadband Internet to support an official Family HIstory Center, Facilities Management Office, Employment Resouce Center, etc. As other's have indicated, this installation was initiated and cordinated by the church through the facilities manager. In all cases, a church managed firewall was installed, and frequently a wireless network was also installed (Cisco AP's).

• Clerk PC's are now authorized to share previously installed CCN connections.
• You can share the wireless network by contact GSD and requesting that they add the "LDS Access" profile to the existing Cisco Access Points. This will allow you to use any wireless client and connect with a WPA pre-shared key (provided by GSD).
• You can of course connect via hard-wire or other options as well.
• There is no need for the Odyssey client after the "LDS Access" profile is added to the existing access points.

Last night I discussed this with my stake president and he authorized me to request the LDS Access profile for our Stake Center, which has an existing CCN, with WAPs installed under the direction of the FM Group. The stake president also set policy for who would have access to the WPA key.

So last night after presidency meeting I called the GSD, thinking this would be a quick call for service under policy. The first-level support person had no clue what LDS Access was, or even that the GSD had the ability to push profiles to WAPs. But at least he figured out quickly that he didn't know, and forwarded me to a second-level support person.

The second-level person certainly knew about the technical side, but he had a different view of the policy. He said that the GSD doesn't usually push the LDS Access profile to existing CCNs because of security concerns. He asked me why we wanted the access. I explained that my stake president had determined that it would be helpful for clerks to have access to LUWS, Missionary Recommendation System, lds.org, and other sites that would help clerks fulfill their callings to support the leadership.

He still seemed reluctant to grant access. I explained that I certainly did not want to request something our stake should not have, but that through my participation in the LDS Tech Forum I had heard from a couple of Church employees that this was an appropriate request. He seemed skeptical of that source (my apologies to tsheffield and rmarchant ). But he did eventually say he would grant access, although it was more along the lines of "Well, I guess I'll make an exception just this once and give you access, since you asked so nicely," rather than "I'm happy to grant your appropriate request under Church policy."

So there seems to be some disconnect between the statements posted on this forum and what at least one person at the GSD thinks is policy. It would be nice to resolve that conflict.

I also was so distracted by the way the conversation went that I neglected to specify whether we wanted LDS Restricted Access or LDS Extended Access. I haven't been back to the stake center to try it out or to see which option we have. I would have thought that he would ask, but he didn't. It will be interesting to see what we got....

When I referred to the asking GSD to push out the new LDS Access profile I was talking about locations that have the church installed wireless Cisco AP’s. Sorry for not making that more clear. The WPA key will be given to the STS when this profile is pushed out (you might need to ask for it…) If it needs to be changed, for the time being, that will require another call to GSD. We hope to change this in the future.

The second-level GSD support person denied this statement. He said that there is absolutely no way to change the WPA key at this point. It would be nice to resolve that disagreement as well....

[SheffieldTR]

But he did eventually say he would grant access, although it was more along the lines of "Well, I guess I'll make an exception just this once and give you access, since you asked so nicely," rather than "I'm happy to grant your appropriate request under Church policy."

So there seems to be some disconnect between the statements posted on this forum and what at least one person at the GSD thinks is policy. It would be nice to resolve that conflict.....

Thank you for bringing this up. I will make a call this morning and get this fixed.

I also was so distracted by the way the conversation went that I neglected to specify whether we wanted LDS Restricted Access or LDS Extended Access. I haven't been back to the stake center to try it out or to see which option we have. I would have thought that he would ask, but he didn't. It will be interesting to see what we got.....

This is probably my fault for not explaining. Currently, CCN connections do not have the options as do new Meetinghouse Internet locations. Current locations only have one filtering level, which would explain why GSD did not ask you which one you wanted.

The second-level GSD support person denied this statement. He said that there is absolutely no way to change the WPA key at this point. It would be nice to resolve that disagreement as well....

Again, my fault! Currently there is no way to change the WPA. We are working on providing that soon. But you should still be able to receive it and use it in your stake center.
These are all great points and we appreciate your bringing them up so that we can get them fixed.
Thanks,
Troy

[aebrown]

Currently, CCN connections do not have the options as do new Meetinghouse Internet locations. Current locations only have one filtering level, which would explain why GSD did not ask you which one you wanted.

So for our configuration, we will have the exact same filtering for administrative computers that are connecting via the Odyssey client, personal laptops used by clerks to connect wirelessly using the WPA key, and computers in the FHC connected by wire. That makes sense, given the hardware that is installed.

Currently there is no way to change the WPA. We are working on providing that soon. But you should still be able to receive it and use it in your stake center.

I have indeed received the WPA key and I will verify in the next day or two that it works properly.

Thanks, Troy, for taking the time to respond so promptly and clarify my points of confusion.

[pmblood-p40]

No hardware/software package ... just a configuration update. "LDS Access" is just a few lines of configuration that creates a new SSID and WPA-PSK security settings that can be added to an existing Church Managed wireless network. In years past, church headquarters has cordinated the installation of wireless networks at some church facilities. The initially deployed configuration required the use of a 3rd party wirelss client (Odyssey client). The "LDS Access" configuration updates makes it possible to connect clerk computers to the existing wireless infrastructure without the 3rd party client.

Meetinghouse Internet Access has just been authorized for our stake and we may provide wireless access for some of the computers on the network behind the firewall. When we call the GSD to activate the Firewall, do we need to request “LDS access profile” that is mentioned in some of the forums.

[aebrown]

Meetinghouse Internet Access has just been authorized for our stake and we may provide wireless access for some of the computers on the network behind the firewall. When we call the GSD to activate the Firewall, do we need to request “LDS access profile” that is mentioned in some of the forums.

This thread is concerned with buildings that have existing CCNs (typically these are the Internet connection for Family History Centers). But it sounds like you are talking about the Meetinghouse Internet program which allows for a new Internet connection in a building which previously did not have one.

If I understand your situation correctly, you will be less confused if you focus on the thread that deals with the program for new Internet connections. That thread will help you understand your options for the security profile for your new Internet connection.

I would also recommend the Introduction to Meetinghouse Internet article at http://clerk.lds.org