wireless access policy for meeting house ?

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
jdlessley
Community Moderators
Posts: 8721
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#11

Post by jdlessley »

RussellHltn wrote:For those of you have have published your policy, can you also tell us what access has been set up? I wouldn't mind giving everyone access if the available sites were restricted to LDS only. That way every quorum and auxiliary has access to the ward and stake websites during their meetings.

We are just piggybacking on the LDS Extended Access from the FHC CCN. And by the way - LDS Extended Access does not prevent access from known pornography sites. I just finished investigating an incident where an individual used a FHC computer to browse 62 known pornography sites over a 181 minute period.

The only building permitted to use the available wireless access is the stake center which hosts 3 resident wards. Two other ward buildings have CCN but are currently not allowed general access.
Mikerowaved wrote:Don't put too much faith in MAC address filtering as it's not very difficult to circumvent.

It is better than doing nothing. A large percentage of the people in our stake boundaries who would gain access in the first place would not have the expertise to circumvent it. Just as locking your car will not keep out a determined thief - but it will discourage the casual thief.

Alan_Brown wrote:The term "ecclesiastic" seems a bit unusual -- it could be restricted to administration by leaders, but I think you simply mean "Church work."
...stake president's choice of words. But I am sure he was thinking of anything that would further the work of the Lord - quite broad. I think he is thinking about placing bounds that would restrict casual use but not limit necessary work to accomplish faith promoting use of technology - just as you mentioned.

Alan_Brown wrote: I think it will start slowly, but as people catch the vision of the resources available online, it will accelerate.

The use of technology is quite limited in our stake. I don't know the reason for this. But the stake president does not want to unnecessarily restrict a resource that could further faith promoting work. If past experience is an indicator, only a handful of people will want to take advantage of the availability of the wireless access. Only 23.5% of our stake membership is registered to use the LUWS. Of those, only 89% keep their e-mail address up to date. This is even after several concerted efforts to inform the membership of what is available. I don't think we will be overwhelmed by requests for access.

The stake president is not so concerned about the general membership in following guidance that is known (published).
russellhltn
Community Administrator
Posts: 31328
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#12

Post by russellhltn »

jdlessley wrote:And by the way - LDS Extended Access does not prevent access from known pornography sites. I just finished investigating an incident where an individual used a FHC computer to browse 62 known pornography sites over a 181 minute period.
Ouch. I believe it's supposed to prevent that. However, I'm not sure just how it's prevented. If it's just a DNS lookup, then there are ways it can be circumvented. And black lists can fall out of date. I'm not too surprised that someone was able to get around it, but 62 different sties? Ouch.
jdlessley
Community Moderators
Posts: 8721
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#13

Post by jdlessley »

RussellHltn wrote:Ouch. I believe it's supposed to prevent that. However, I'm not sure just how it's prevented. If it's just a DNS lookup, then there are ways it can be circumvented. And black lists can fall out of date. I'm not too surprised that someone was able to get around it, but 62 different sties? Ouch.

Tell me about it - I was just as surprised as you are. I only wish I had more information about what LDS Extended Access really does and doesn't allow.
LakeyTW
Member
Posts: 86
Joined: Fri Jan 19, 2007 3:29 pm
Location: Salt Lake City, UT

#14

Post by LakeyTW »

I would like to understand which sites were not blocked. Please send me contact information via private message so that we can look into this.
russellhltn
Community Administrator
Posts: 31328
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#15

Post by russellhltn »

lakeytw wrote:I would like to understand which sites were not blocked. Please send me contact information via private message so that we can look into this.
Along with that, you might want to verify the setup of this machine. Is it getting the DNS from the DHCP, which I would hope would be the church firewall. Or did someone point to to OpenDNS? If this machine has a wireless card, was it turned on and perhaps using a neighbor's connection? Is it possible this person simply changed the cabling to connect directly to the modem? (Easy enough to do unless the firewall and switch is in a secured closet.)

There are many possibilities that have nothing to do with what's on the blacklist.
jdlessley
Community Moderators
Posts: 8721
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#16

Post by jdlessley »

jdlessley wrote:And by the way - LDS Extended Access does not prevent access from known pornography sites. I just finished investigating an incident where an individual used a FHC computer to browse 62 known pornography sites over a 181 minute period.

To clear things up - If the Cisco PIX 501 security appliance is working correctly it will block inappropriate sites. After working with OTSS technicians we determined that power grid interruptions in the area cause momentary power loss, a second or less, which in turn cause faulty operation of the PIX. There is a program in the PIX called websense that provides the filtering. It can be knocked offline and the default for the PIX is to allow internet access rather than blocking internet access when websense is off line.

We are installing an uninteruptible power supply for the DSL modem and the PIX. We are counting on this correcting the problem with websense being knocked off line.

As a side piece of information I had not known before - the first test to run to see if websense (internet filtering) is working is to try to access www.gambling.com. It is an innappropriate but innocuous site to try to access. You should get a page that has a wide orange "Filtered Content" title bar and the explanation "Access to the website you requested is filtered by Church policy."
jdlessley
Community Moderators
Posts: 8721
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#17

Post by jdlessley »

Another bit of information I got while taling to the OTSS technicians is about SSIDs on the Church provided Cisco Aeronet 1200 series WAPs. While Russellja said:
russellja wrote:You will be able to choose an SSID and WPA key for your site. Keep in mind this is only for sites with church-supported Cisco Aironet access points. These may be in sites that have a FHC or FM office.

Joe Russell
OTSS
They have reconsidered allowing units to choose an SSID. They are going to keep the SSID, LDSAccess, standardized but allow unique WPA keys.
lajackson
Community Moderators
Posts: 10359
Joined: Mon Mar 17, 2008 10:27 pm
Location: US

#18

Post by lajackson »

jdlessley wrote:To clear things up - If the Cisco PIX 501 security appliance is working correctly it will block inappropriate sites. After working with OTSS technicians we determined that power grid interruptions in the area cause momentary power loss, a second or less, which in turn cause faulty operation of the PIX. There is a program in the PIX called websense that provides the filtering. It can be knocked offline and the default for the PIX is to allow internet access rather than blocking internet access when websense is off line.
Well, this is a concern. I would not want to have folks trying to access inappropriate sites just to find out that websense on the PIX is not working. Is there a better way to know when websense gets knocked out?

Or is a reboot of the PIX after a thunderstorm a better way to go?
jdlessley
Community Moderators
Posts: 8721
Joined: Mon Mar 17, 2008 12:30 am
Location: USA, TX

#19

Post by jdlessley »

I would agree that testing the PIX by trying to access a gambling site may not be the best way to go but with no other test method available it is better than trying to access a pornographic site. We are hoping the UPS will keep things on line and that the tests will always render a blocked access message.
russellhltn
Community Administrator
Posts: 31328
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#20

Post by russellhltn »

lajackson wrote:Or is a reboot of the PIX after a thunderstorm a better way to go?
You could set up a timer to reboot every day at 3AM. :) (But please use an electronic timer that can give clean on/off cycles. Mechanical ones could be "dirty" as far as power.)

I think the UPS will help. At least that should only allow "controlled" outages and not brief "blips" that can mess things up.

However, having said that - my mom's router is on a UPS and after a power outage it lost it's mind. We had to reload it from a backup file. So never say never.
Post Reply

Return to “Meetinghouse Internet”