Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
rutzjw wrote:the old adage applies "If its on the air it can be seen or heard".
I'll add to that that when it comes to encryption, "What's secure today may not be secure tomorrow." We've seen that with WEP.
rutzjw wrote:If we are already working in the walls/attics, cable pulls are best.
Less to go wrong. And no complaints that about dropped links when the microwave in the kitchen is fired up.
The one disadvantage of wired is flexibility. The ability to use broadband in the classroom or in meetings for various things. I think it would be nice to show the LUWS calendar in a meeting. Members would bring their own laptops, but they need a connection.
I personally agree with rutzjw. Wireless is frequently not the best solution, and I think it's appropriate for the FM Manager to suggest other options if he feels like wireless is not the way to go.
That said, I'm comfortable with the local support model ... I think it's the only approach that will scale to the individual meetinghouse level at an acceptable cost. I'd rather the Stake President, Stake Technology Specialist, and FM group collaborate and make the wired Vs. wireless decision based on there local needs.
Certainly, there is some benefit in consistent configuration. However, there is also a support cost associated with that consistency ... if the church requires a standard design ... that requirement also implies support of that design. It may be that some high level guidelines (1) requirement of church managed firewall (2) if wireless is used industry standard security (WPA or WPA2) is all that is required.
The local support model has it's own downside ... as RussellHltn suggests there will be times when a new STS is left with a difficult to support solution ... and it may take the STS extra time to work through problems ... because the design was not consistent or documented. However, having the STS spend extra time may be preferable than having the Church spend money for GSD to support a standard design. So ... in answer to RussellHltn's question ... GSD's response when an STS or anyone call's them requesting support with workstation connectivity issues should be to direct them to the STS and perhaps overall LDS Tech community (we can help each other).
In short, local support means that GSD does not support workstation connectivity issues for clerk computers. It's this local support model that makes it possible to allow clerk pc's to connect to the Internet.
RussellHltn wrote:
The one disadvantage of wired is flexibility. The ability to use broadband in the classroom or in meetings for various things. I think it would be nice to show the LUWS calendar in a meeting. Members would bring their own laptops, but they need a connection.
A quick cheap fix for the occasional broadband in a classroom is a long cable from the nearest jack.
One other point: it's probably only a matter of time until we all have VOIP phones in buildings, and while there are wireless answers for that, I personally prefer the simplicity and reliability of wires. Cat5e cable is cheap and we have found that the materials for wiring an entire stake center run only about $200. (Yes, I know that labor is significant.)
I'd like a clearer understanding of any policy covering who may connect to the Internet and what purposes. Obviously FHCs and Clerk computers are allowed. What about FHC patrons, and members who bring their own laptop? These are policy issues outside of the support issue. It also has an effect on the way I'd choose to implement it.
RussellHltn wrote:I'd like a clearer understanding of any policy covering who may connect to the Internet and what purposes. Obviously FHCs and Clerk computers are allowed. What about FHC patrons, and members who bring their own laptop? These are policy issues outside of the support issue. It also has an effect on the way I'd choose to implement it.
The general answer to the policy question, is that a Stake President will be responsible for determining the appropriate use of the Internet for buildings within his stake. However, I agree with the need for clarifying policy issues. We plan on creating a sticky Frequently Asked Questions (FAQ) thread in this Meetinghouse Internet forumn that can be used for addressing common questions.
I looked for a simple way to manage addition/deletion of users as the Stake President authorizes them.
In order to accomodate, I installed either Linksys or Cisco WAPs and make them completely unavailable to everyone. I then whitelist the MAC address of the computers allowed to connect. Then I refer anyone wanting access to the Stake President.
The Stake President emails me with the MAC address of the computer allowed, plus the name and calling of the person. As the person moves out of that calling, I remove their access.
Thsi is much preferred to using WEP or WPA keys, because I control specifically who gains access. Just to make it completely safe, I revert the WAPs every 6 months and start over.
Wade E. Burt
Gallatin Ward High Priest Group Leader
wadeburt wrote:
<snip>
The Stake President emails me with the MAC address of the computer allowed, plus the name and calling of the person. As the person moves out of that calling, I remove their access.
Thsi is much preferred to using WEP or WPA keys, because I control specifically who gains access. Just to make it completely safe, I revert the WAPs every 6 months and start over.
MAC addresses can be faked.
I would make sure to use WPA in addition to MAC filtering, so that even if I can figure out your MAC (sent cleartext), I can't connect to your network b/c I don't have the WPA key.
USE BOTH, NOT EITHER!
If you really want security, you probably need RADIUS, but you said simple right?
As previously indicated, MAC filtering alone does not provide great security. It does provide an additional way of limiting access to the wireless network but provides no encryption of the wireless data transmission. I would suggest the following implementation:
WPA or WPA2 with pre-shared key
Use a 14 character pre-shared key that includes symbols and does not include dictionary words
Having a strong pre-shared key that is not susceptible to a brute force attack is important if you want to have a secure wireless implementation.
Here's a link to a website that will generate a secure pre-shared key for you.
If desired, use MAC filtering to provide an additional method of limiting access
We had a very cooperative FM group that told us they would do whatever we wanted. Best solution for us was to have them wire the building. We ran cable to the HC room, SP office, and all the clerks offices. After we changed Stake Presidents, my new Stake President wanted wireless. So we put wireless in the stake offices and it does work well but with our old cinderblock walls in the building, the wireless signal really doesn't go far. I get no signal in the chapel and only a very weak signl in the cultural hall.
If the FM group is willing to wire the building, go that route and then ad a wireless access point in a specific area if needed.
jasonhyer wrote:...but with our old cinderblock walls in the building, the wireless signal really doesn't go far. I get no signal in the chapel and only a very weak signl in the cultural hall.
Just curious, did they install 802.11g gear or did they opt for 802.11n?
So we can better help you, please edit your Profile to include your general location.
