Wireless distribution behind Church Managed Firewall

Discussions about Internet service providers (ISPs), the Meetinghouse Firewall, wired and wireless networking, usage, management, and support of Meetinghouse Internet
Post Reply
G. Garcia-p40
New Member
Posts: 3
Joined: Tue Mar 18, 2008 3:32 pm
Location: New Mexico

Wireless

#41

Post by G. Garcia-p40 »

My wireless gizmo from Dell says 1450 Wireless USB adapter Cisco Certified A,B,G
wadeburt
New Member
Posts: 35
Joined: Thu Nov 29, 2007 3:12 pm
Location: Gallatin Tennessee USA
Contact:

Wireless Distribution behind Church Firewall

#42

Post by wadeburt »

After further investigation and review, we intend to remove the existing wireless in the Stake Center and go to a pure hard wired solution behind the PIX. It's great to be able to offer Internet access to the Stake Presidency, High Council, etc, but way too much maintenance and controversy. Putting the Odyssey client on computers for these individuals requires too much support once they leave our facility.
Wade E. Burt
Gallatin Ward High Priest Group Leader
SheffieldTR
Community Moderators
Posts: 145
Joined: Wed Apr 04, 2007 12:44 pm
Location: Utah, USA

#43

Post by SheffieldTR »

wadeburt wrote:After further investigation and review, we intend to remove the existing wireless in the Stake Center and go to a pure hard wired solution behind the PIX. It's great to be able to offer Internet access to the Stake Presidency, High Council, etc, but way too much maintenance and controversy. Putting the Odyssey client on computers for these individuals requires too much support once they leave our facility.
Stake sponsored wireless does not require Odyssey. You can provide wireless to the stake president, bishops, high council, etc without it. Just use w WPA or WPA2 key code.;)

Troy
MarchantRR
Community Moderators
Posts: 25
Joined: Tue Jan 30, 2007 12:42 pm

#44

Post by MarchantRR »

wadeburt wrote:After further investigation and review, we intend to remove the existing wireless in the Stake Center and go to a pure hard wired solution behind the PIX. It's great to be able to offer Internet access to the Stake Presidency, High Council, etc, but way too much maintenance and controversy. Putting the Odyssey client on computers for these individuals requires too much support once they leave our facility.

I'm trying to understand the situatuion in your stake, so I can offer useful advice. There are a few possible scenarios:


First, a facility that the church has previously installed broadband Internet to support an official Family HIstory Center, Facilities Management Office, Employment Resouce Center, etc. As other's have indicated, this installation was initiated and cordinated by the church through the facilities manager. In all cases, a church managed firewall was installed, and frequently a wireless network was also installed (Cisco AP's).
  • Clerk PC's are now authorized to share previously installed CCN connections.
  • You can share the wireless network by contact GSD and requesting that they add the "LDS Access" profile to the existing Cisco Access Points. This will allow you to use any wireless client and connect with a WPA pre-shared key (provided by GSD).
  • You can of course connect via hard-wire or other options as well.
  • There is no need for the Odyssey client after the "LDS Access" profile is added to the existing access points.


Second, church headquarters did not install broadband at your facility, but your stake president recently recived a notice from the Presiding Bishopric authorizing them to install broadband.
  • This is the scenario of the controlled Meetinghouse Internet releasethat started a few weeks ago.
  • Locally installed and supported wireless with WPA or WPA 2 security is acceptable.
  • There is no need for the Odyssey client.
  • Again, hard-wire and other connectivity options are also acceptable.


Third, church headquarters did not install broadband at your facility and your stake president did not recently recive a notice from the Presiding Bishopric authorizing connection.
  • Broadband connections at this facility are "out of policy" and should really not be used.
  • Your stake should wait until recieving the notice from the Presiding Bishopric before connecting to a broadband internet connection.
User avatar
Mikerowaved
Community Moderators
Posts: 4397
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

#45

Post by Mikerowaved »

It seems the Church is taking the proper steps to secure a wireless connection, but what about the wired ones? Obviously, most wall jacks will be in controlled spaces (offices that are locked when not in use), but what about drops to open areas, like Cultural Halls and Chapels to facilitate broadband access for special conferences, or are these open area jacks being discouraged? I guess I'm just curious if the Church has any provision in place for securing wired connections (besides physically disabling them in a wiring closet when not in use).
So we can better help you, please edit your Profile to include your general location.
SheffieldTR
Community Moderators
Posts: 145
Joined: Wed Apr 04, 2007 12:44 pm
Location: Utah, USA

#46

Post by SheffieldTR »

The Physical Facility department has a cover that can be installed over the network jack in open or unsecured areas. It is not real secure in that it can be removed with the correct screw driver, but it is a step in the right direction.

As you mentioned there is the ability to go to a patch panel in the wiring closet and unplug those open jacks but that is not really preferred. I am not aware of any other attempts to lock those jack down. I will ask that question and see where we can go with it.

Thanks,
Troy
The_Earl
Member
Posts: 278
Joined: Wed Mar 21, 2007 9:12 am

#47

Post by The_Earl »

tsheffield wrote:The Physical Facility department has a cover that can be installed over the network jack in open or unsecured areas. It is not real secure in that it can be removed with the correct screw driver, but it is a step in the right direction.

As you mentioned there is the ability to go to a patch panel in the wiring closet and unplug those open jacks but that is not really preferred. I am not aware of any other attempts to lock those jack down. I will ask that question and see where we can go with it.

Thanks,
Troy
Something like RADIUS could take care of both. I know that Linksys wireless routers with upgradeable firmware will do RADIUS authentication, but I believe they have to talk to a separate RADIUS server since the box isn't powerful enough to run it.

I don't know if there is some SOHO / Commercial gear that will do routing, RADIUS and wireless all in the same box, but that would be real cool.

The Earl
russellhltn
Community Administrator
Posts: 31291
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#48

Post by russellhltn »

Mikerowaved wrote:It seems the Church is taking the proper steps to secure a wireless connection, but what about the wired ones?
Can we define "secured"? ALL Internet traffic is to pass though the church supplied firewall, so access to inappropriate sites is blocked. Depending on how filtering is set it, it may also limit them to LDS only sites (if the entire building is limited).

If a jack is filtered to LDS only access, then I'm not real concerned who plugs into it.

What I'd like to see is some way to lock things to LDS only but allow broader access via a login. That would give broader access to those who need it. Also I'd like to see a way to limit "LDS only" in a building that shares it's access with a FHC (which needs normal access).
User avatar
Mikerowaved
Community Moderators
Posts: 4397
Joined: Sun Dec 23, 2007 12:56 am
Location: Layton, UT

#49

Post by Mikerowaved »

RussellHltn wrote:Can we define "secured"? ALL Internet traffic is to pass though the church supplied firewall, so access to inappropriate sites is blocked.
From a business IT standpoint, I guess I'm more concerned with the potential of hacking and less with what people can access on the Internet. Physical access to an unsecured wired network gives potential access to other computers on the same network.
RussellHltn wrote:If a jack is filtered to LDS only access, then I'm not real concerned who plugs into it.
To be a bit argumentative, then why bother to go to the lengths they do to secure the wireless portion?
So we can better help you, please edit your Profile to include your general location.
russellhltn
Community Administrator
Posts: 31291
Joined: Sat Jan 20, 2007 2:53 pm
Location: U.S.

#50

Post by russellhltn »

Mikerowaved wrote:Physical access to an unsecured wired network gives potential access to other computers on the same network.
True, but I think it would be hard to exploit. Computers in the FHC acting as servers would be the only easy target. Admin computers have software firewalls installed. I'm not sure how much anyone can gain by sniffing.

Mikerowaved wrote:why bother to go to the lengths they do to secure the wireless portion?
Fair question. At this point, the reason to secure the wireless is because it's church policy. But who can access it is a Stake President level policy. So an apparent inconsistency is quite possible.

Now that said, keep in mind that wired connections still carry a type of physical security. One has to be in the building and near the jack to get anything. That provides the opportunity to spot something that "doesn't belong" and limit the hours of access. On the other hand, wireless knows no boundaries. Someone could attempt to access it from outside the building, even outside the property. The bigger the antenna the hacker has, the further away he can attack from.

My own personal feelings is that if the connection is limited to LDS only sites, then there is minimal potential for harm. and the good of allowing anyone access outweighs the bad. That's why I'm not too concerned about "unsecured" wired connections.

But if I really wanted to be safe, I'd buy a cheap home router and put it between all the unsecured wired connections and the rest of the network. If the home router has it's own DHCP set for the same subnet as the main system, then anyone plugging in can't access anything but the Internet connection through the firewall.
Post Reply

Return to “Meetinghouse Internet”